Feature Request: Direct API fuzzing from OpenAPI/Swagger endpoints

[reewardius]

Description:
Currently, when using Nuclei for API fuzzing, the workflow requires fetching the OpenAPI/Swagger definition locally, saving it to a .json file, and then providing it to Nuclei, for example:

nuclei -l swagger.json -im swagger -t nuclei-fuzzing-templates/

This process also requires handling missing host values manually or via scripting, which creates additional overhead.

Feature Request:
It would be very useful if Nuclei could directly accept OpenAPI endpoints (similar to how OWASP ZAP does it) and automatically handle missing host values. Example:

nuclei -u https://target.com/swagger.json -im swagger -t nuclei-fuzzing-templates/

This way, users could fuzz APIs directly from their OpenAPI documentation without needing to:

• Download the definition manually
• Adjust headers

Reference Implementation (ZAP):
OWASP ZAP already provides a similar implementation for Swagger, GraphQL, and SOAP:

docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable \
  zap-api-scan.py -t https://target.com/swagger.json -f openapi -r report.html

Thanks in advance

[ehsandeep]

@reewardius great suggestion!

It would be very useful if Nuclei could directly accept OpenAPI endpoints (similar to how OWASP ZAP does it) and automatically handle missing host values…

Just to clarify, when you mention “handling missing host values,” Do you mean that based on the OpenAPI URL host, the API host could be auto-inferred, rather than having to manually strip out multiple server entries from the swagger/openapi file?

[reewardius]

Yes @ehsandeep, when a swagger.json or openapi.json file does not contain an explicit host/servers block, Nuclei could automatically infer the host (e.g., https://target.com/swagger.json -> host=target.com).