Nuclei-Lite Scanner
Template-based passive web reconnaissance, inspired by ProjectDiscovery's Nuclei. 30+ curated checks across API docs, dev dashboards, observability stacks, debug endpoints, and cloud infrastructure — with zero payloads.
Runs 30+ passive templates against well-known URLs: Swagger, Actuator, Grafana, Jenkins, Elasticsearch, pprof, Rails debug, and more. No payloads, no brute force.
How to Use the Nuclei-Lite Scanner
- Paste the URL you want to assess (e.g., https://example.com).
- Click "Run Templates". The engine first sends a random path to detect custom 404 pages (reduces false positives), then fires all 30+ templates in parallel with a hard 8s budget.
- Findings appear grouped by category: API Documentation, Observability, Dev Dashboards, Debug Endpoints, Logs, Cloud/Containers, Defaults, Login Panels.
- Each finding includes the template ID (matching Nuclei's naming where possible), severity, full explanation of WHY the finding matters, and remediation guidance.
- Click the path in any finding card to verify the hit manually in a new tab.
What Nuclei-Lite Covers
ProjectDiscovery's Nuclei is the industry-standard template-based scanner, with over 8 000 community-maintained YAML templates. That's too many to run from a browser against a single target in 10 seconds. Nuclei-Lite distills the most-triggered, highest-signal subset into a curated set of 30+ probes that matter for 95% of real-world recon. The scanner covers eight categories: **API Documentation** — Swagger UI / swagger.json / v2/api-docs / openapi.json / GraphQL endpoints with introspection. A leaked API spec is a full attack-surface map. **Observability** — Spring Boot Actuator (/actuator, /actuator/env which often leaks secrets, /actuator/heapdump which lets attackers extract JVM memory), Prometheus /metrics, Grafana login pages. **Dev Dashboards** — Jenkins (with optional RCE via /script console), Kibana, phpMyAdmin, Adminer, Tomcat Manager, Elasticsearch, mongo-express, CouchDB Fauxton. Each of these, when exposed, is a known path to full compromise. **Debug Endpoints** — Go's /debug/pprof/* (leaks memory + goroutines), Rails /rails/info/routes (full route map), Django DEBUG=True traceback page (leaks SECRET_KEY + source), Nginx status, Traefik API. **Cloud / Containers** — unauthenticated Kubernetes API, Docker Registry catalogs. **Logs** — direct /error.log, /access.log, /laravel.log downloads. Application logs routinely leak JWTs, session IDs, and PII. **Default Pages** — Apache/nginx/IIS default welcome pages, indicating either unconfigured hosts or VHOST misconfiguration. **Login Panels** — Spring Security's default /login, WP wp-login (our WP Scanner has deeper coverage), generic admin paths. Every template is passive: one HTTP GET per path, no payloads, no auth attempts, no fuzzing. The scanner is as safe to run against a third-party target as opening the same URL in your browser — but systematic across every well-known path at once.
Frequently Asked Questions
Real Nuclei has 8 000+ templates including active exploits (SQL injection probes, RCE attempts, auth bypasses). It's a security professional's tool that needs explicit consent to run. Nuclei-Lite is the read-only subset: templates that only do a single GET and match on the response. No active exploitation ever. Think of it as 'which of my doors are unlocked?', not 'which of my doors can I kick in?'.
Nuclei-Lite only probes PUBLIC paths from the internet. If your admin panel is behind a VPN, IP allowlist, or auth wall, it's invisible to this scanner (which is the correct behaviour). For authenticated scanning, install the SecLens browser extension — it runs in the same browser session where you're logged in.
It depends what's exposed. By default post-Spring 2.0, only /health and /info are public. If /env is in the list, it's CRITICAL — that dumps your entire Spring environment including DB credentials. If only /health shows up, it's informational. Check the finding text carefully; we call out the specific variant detected.
Two layers. (1) Before running templates, we send a randomly-named path (/pd-nuclei-probe-XXX.bogus). If that returns 200 with HTML, we know the site does catch-all 404s. (2) During template matching, any response whose body matches that catch-all signature is discarded. This is the same false-positive-prevention approach our exposures scanner uses, adapted for Nuclei-style body markers.