Feature Request: Direct API fuzzing from OpenAPI/Swagger endpoints #6443
Description
Discussed in https://github.com/orgs/projectdiscovery/discussions/6442
Currently, when using Nuclei for API fuzzing, the workflow requires fetching the OpenAPI/Swagger definition locally, saving it to a .json file, and then providing it to Nuclei, for example:
nuclei -l swagger.json -im swagger -t nuclei-fuzzing-templates/
This process also requires handling missing host values manually or via scripting, which creates additional overhead.
Feature Request:
It would be very useful if Nuclei could directly accept OpenAPI endpoints (similar to how OWASP ZAP does it) and automatically handle missing host values. Example:
nuclei -u https://target.com/swagger.json -im swagger -t nuclei-fuzzing-templates/
This way, users could fuzz APIs directly from their OpenAPI documentation without needing to:
- Download the definition manually
- Adjust headers
Reference Implementation (ZAP):
OWASP ZAP already provides a similar implementation for Swagger, GraphQL, and SOAP:
docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable \
zap-api-scan.py -t https://target.com/swagger.json -f openapi -r report.html
Thanks in advance
More context:
https://github.com/orgs/projectdiscovery/discussions/6442#discussioncomment-14258213