santosomar/pt-fuzzing-web-api
skills/pt-fuzzing-web-api/SKILL.md
Performs authorized fuzzing of web applications and APIs to discover input validation failures, parser bugs, and stability issues. Use when testing HTTP endpoints, request parameters, payload handling, and error behavior under malformed or unexpected inputs.
$ install --global
skillsauthnpx skillsauth add santosomar/ethical-hacking-agent-skills pt-fuzzing-web-apiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 6:18 PM12.5s1 file scanned
SKILL.md
- name:
- pt-fuzzing-web-api
- description:
- Performs authorized fuzzing of web applications and APIs to discover input validation failures, parser bugs, and stability issues. Use when testing HTTP endpoints, request parameters, payload handling, and error behavior under malformed or unexpected inputs.
Web and API Fuzzing
Authorized Use Only
Run fuzzing only against explicitly approved targets and test environments. Respect rate limits, test windows, and service stability constraints. Pause immediately if production impact risk increases.
Objectives
- Find input-handling vulnerabilities and crash conditions.
- Identify unexpected responses, parser failures, and auth boundary issues.
- Produce reproducible cases and actionable remediation guidance.
Workflow
- Define scope and safety guardrails:
- In-scope endpoints, methods, and auth contexts
- Allowed request volume, concurrency, and timeout ceilings
- Stop conditions for instability or data risk
- Build fuzzing plan:
- Parameter inventory (query, path, headers, body, file uploads)
- Baseline valid requests for each endpoint
- Mutation strategy (length, encoding, type confusion, schema violations)
- Execute controlled fuzzing:
- Start low-and-slow, then increase breadth
- Track status code anomalies, latency spikes, crashes, and WAF behavior
- Preserve minimal failing payloads and request metadata
- Validate and triage:
- Reproduce findings with reduced payloads
- Separate true defects from expected validation failures
- Recommend fixes:
- Input/schema validation hardening
- Parser/library updates and safer defaults
- Regression tests for discovered cases
Output Template
# Web/API Fuzzing Output
## Scope and Configuration
- Targets:
- Auth context:
- Rate/concurrency limits:
- Stop conditions:
## Findings
- Finding:
- Endpoint:
- Trigger input:
- Observed behavior:
- Repro steps:
- Security/availability impact:
- Recommended fix:
## Stability and Detection Notes
- Availability effects:
- Alerting/monitoring observations:
## Regression Test Cases
- Case:
- Expected safe behavior:
Quality Checks
- Findings are reproducible with minimized payloads.
- Evidence includes exact request/response context.
- Recommendations include prevention and regression coverage.
Related Skills
santosomar/pt-web-application-assessment
development
VerifiedTrustedCommunity
Performs authorized web application and API penetration testing with focus on OWASP-style risks and business logic flaws. Use when assessing websites, web APIs, authentication flows, session handling, and input validation.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-scanning
testing
VerifiedTrustedCommunity
Performs authorized security scanning using static, dynamic, and vulnerability-focused methods. Use when mapping exposed services, profiling application behavior, and identifying known weaknesses for validation.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-report-creation
testing
VerifiedTrustedCommunity
Creates penetration test deliverables for executive and technical audiences, including prioritized findings and remediation plans. Use when drafting, structuring, or finalizing pen test reports from collected evidence.
12SKILL.mdUpdated Apr 25, 2026
santosomar/pt-post-exploitation
testing
VerifiedTrustedCommunity
Performs authorized post-exploitation activities to assess impact, lateral movement paths, credential exposure, and detection gaps after initial compromise. Use when a foothold has been validated and the test requires controlled impact expansion analysis.
12SKILL.mdUpdated Apr 25, 2026