Is Nuclei any good for API hacking? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

If you have spent any time hacking, you will have encountered vulnerability scanner tools like Nuclei.

Nuclei is a cutting-edge, template-based vulnerability scanner designed to simplify finding vulnerabilities on a target. This formidable tool employs a host of customizable templates that target various security checks, making it adept at identifying security weak spots in your apps and infrastructure.

The question is, is it any good to use for API hacking?

Let’s find out.

An Introduction to Nuclei

Nuclei is a popular tool for vulnerability scanning. In fact, there is a common argument that using Nuclei is a waste of time, as every new and inexperienced bug bounty hunter has already scanned every target they could in hopes of finding some low-hanging vulns.

They aren’t wrong.

Nuclei is definitely easy to use and something many people use as part of their initial recon. But the value of scanning with Nuclei is more nuanced than that.

When hacking an API, you will be looking deeper at a target. Sure, if you are working within the scope of a popular bug bounty program, the production instances have probably been scanned. But as you start looking for dev, test, and staging instances through VHOST discovery or deeper subdomain enumeration (maybe with the help of AI), there is a good chance those targets haven’t been scanned yet.

On top of that, Nuclei has more capabilities than simply looking for known vulns that are described in their CVE templates. Let’s explore some of the ways Nuclei can help you during your API security testing.

Detecting technology in use

I’m a big fan of determining what technology and programming language is in use on a target you are looking to attack. Nuclei has some great templates that can help with that. It can detect the web server delivering content, the language being used, and even the type of WAF that might be in play.

And that is just a few of the hundreds of checks it can do.

Getting Nuclei to do this detection is as simple as:

Finding secondary apps that might get you a foothold

Getting a foothold on a server hosting an API can be quite valuable to you. Gaining access to API artifacts helps with the ability to reverse engineer it and trace API exploitability through code review and taint analysis.

Nuclei can help here.

As part of its scanning, it looks for common login pages, admin panels, and portals. Using it is as simple as:

Advanced app detection

To be honest, I like to look for exposed secondary apps a bit differently than the norm.

Usually, I start by conducting a Nmap scan on the target, listening to every port that responds. I then create a targets.txt file based on what is detected since many secondary portals may be hosted on alternate ports.

Finally, I also use the -silent switch, so I only get the results I am after.

It ends up looking something like this:

Testing leaked API tokens

During your recon, you might come across potentially leaked API keys that seem to be lying around. Especially when conducting your reverse engineering methodology.

This may be hardcoded into the source code of the API itself. Or pulled from environment variables or other configuration data. Wherever it may be coming from, once you have identified these keys, the next question you will want to answer is: what service does this key belong to, and is it valid?

Nuclei has you covered there too, with a set of self-contained templates called token-spray.

The Token-Spray templates include hundreds of checks against common services that rely on API tokens. It will literally take a token passed in and spray it against all the different services mapped in the templates to see if it works. If it does, it lets you know that it is valid and where.

So the next time you stumble upon a potentially leaked token, test it with Nuclei:

Burp integration with Nuclei

If you are hacking APIs with Burp Suite you can integrate Nuclei into that, too.

Let me show you how.

Step 1: Install the Nuclei extension

There is a free community-built Nuclei Burp Suite extension that can be installed directly from the BApp store.

Go to Extensions > BApp Store and simply search for “nuclei”.

Click “Nuclei Burp Integration” and hit “Install”.

Now time to configure it.

Step 2: Configure Burp to use Nuclei

After installation, you should now see a new Nuclei tab. It will prompt you to configure where the Nuclei binary is located and where the templates reside.

To determine where the nuclei binary is installed on your host, you can simply run `which nuclei` from your command shell.

There is also an option to set custom nuclei arguments. This is a great place to tell Nuclei to route all requests through Burp Suite’s attack proxy.

Step 3: Call Nuclei from within Burp

Now it’s time to see what Nuclei can do in Burp.

Locate an interesting URL in your Burp Proxy History that you want to run Nuclei against. Right-click on that request and select Extensions > Nuclei Burp Integration > Send URL to Nuclei Scanner.

Now head back to the Nuclei tab. Notice how the URL is now populated in the “Target” field. Hit the “Run Scanning” button, and watch Nuclei spring into action.

You should see a new subtab showing content from Nuclei.

You will also start to see items populating directly into the Burp Issues panel. This may include some false positives, as crafted payloads from Nuclei trigger Burp’s own web vulnerability scanner.

That’s OK. It’s better to get the cross-referenced results anyway.


As you can see, Nuclei can indeed help you during your API hacking.

It can help detect the technology and programming language(s) in use. Find secondary apps hosted on the same infrastructure that might help you get a foothold. And even test potentially leaked API tokens through token spraying.

And that is just a few things it can do.

On top of that, you also get all the benefits from all the other community-driven templates that might help you detect known vulnerabilities that others may have missed.

So give it a try for yourself. You might be surprised how Nuclei can help.

One last thing…

API Hacker Inner Circle

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at

The post Is Nuclei any good for API hacking? appeared first on Dana Epp’s Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at:


Click Here For The Original Story From This Source.


National Cyber Security