jd-opensource/pentest-api-deep
skills/pentest-api-deep/SKILL.md
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
$ install --global
skillsauthnpx skillsauth add jd-opensource/joysafeter pentest-api-deepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:18 AM5.7s3 files scanned
SKILL.md
- name:
- pentest-api-deep
- description:
- Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
Pentest API Deep
Purpose
Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).
Prerequisites
Authorization Requirements
- Written authorization with API testing scope explicitly included
- API documentation (OpenAPI/Swagger specs, GraphQL schema) if available
- Test accounts at multiple privilege levels (user, admin, service account)
- Rate limit awareness — confirm acceptable request volume with target owner
Environment Setup
- Postman or Insomnia for manual API exploration
- Burp Suite with API-specific extensions
- GraphQL Voyager for schema visualization
- grpcurl for gRPC service testing
Core Workflow
- API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
- BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
- Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
- Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
- Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
- Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
- API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.
OWASP API Security Top 10 (2023) Coverage
| Category | Test Focus | Status | |----------|-----------|--------| | API1 Broken Object Level Authorization | IDOR via API params | ✅ | | API2 Broken Authentication | Token/key weaknesses | ✅ | | API3 Broken Object Property Level Authorization | Mass assignment, excessive data | ✅ | | API4 Unrestricted Resource Consumption | Rate limits, complexity | ✅ | | API5 Broken Function Level Authorization | BFLA, method switching | ✅ | | API6 Unrestricted Access to Sensitive Business Flows | Automation abuse | ✅ | | API7 Server Side Request Forgery | API-triggered SSRF | ✅ | | API8 Security Misconfiguration | CORS, headers, versioning | ✅ | | API9 Improper Inventory Management | Shadow APIs, deprecated versions | ✅ | | API10 Unsafe Consumption of Third-Party APIs | Upstream injection | ✅ |
Tool Categories
| Category | Tools | Purpose | |----------|-------|---------| | API Discovery | Kiterunner, Swagger UI, GraphQL Voyager | Endpoint enumeration | | Parameter Discovery | Arjun, x8, ParamSpider | Hidden parameter detection | | Fuzzing | ffuf, Burp Intruder, custom scripts | Mass assignment, BFLA | | GraphQL | graphql-cop, InQL, BatchQL | GraphQL-specific attacks | | gRPC | grpcurl, grpc-tools | gRPC reflection and testing | | Rate Testing | custom aiohttp scripts, Turbo Intruder | Rate limit verification |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
Related Skills
jd-opensource/xlsx
development
VerifiedTrustedCommunity
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-security-auditor
testing
VerifiedTrustedCommunity
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
238SKILL.mdUpdated Apr 6, 2026