API Fuzzing for Bug Bounty
Installation
SKILL.md
API Fuzzing for Bug Bounty
Purpose
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Inputs/Prerequisites
- Burp Suite or similar proxy tool
- API wordlists (SecLists, api_wordlist)
- Understanding of REST/GraphQL/SOAP protocols
- Python for scripting
- Target API endpoints and documentation (if available)
Outputs/Deliverables
- Identified API vulnerabilities
- IDOR exploitation proofs
- Authentication bypass techniques
- SQL injection points
- Unauthorized data access documentation
API Types Overview
| Type | Protocol | Data Format | Structure |
|---|---|---|---|
| SOAP | HTTP | XML | Header + Body |
| REST | HTTP | JSON/XML/URL | Defined endpoints |
| GraphQL | HTTP | Custom Query | Single endpoint |
Core Workflow
🧠 Knowledge Modules (Fractal Skills)
1. Step 1: API Reconnaissance
2. Step 2: Authentication Testing
3. Step 3: IDOR Testing
4. Step 4: Injection Testing
5. Step 5: Method Testing
6. Introspection Query
7. GraphQL IDOR
8. GraphQL SQL/NoSQL Injection
9. Rate Limit Bypass (Batching)
10. GraphQL DoS (Nested Queries)
11. GraphQL XSS
12. GraphQL Tools
13. PDF Export Attacks
14. DoS via Limits
15. Example 1: IDOR Exploitation
16. Example 2: GraphQL Introspection
Related skills
More from dokhacgiakhoa/antigravity-ide
ui-ux-pro-max-skill
Premium design and micro-interactions toolkit.
89notion-mcp
Official Notion Model Context Protocol Server for workspace interaction.
33filesystem-mcp
Official Filesystem Model Context Protocol Server for local file operations.
24puppeteer-mcp
Official Puppeteer Model Context Protocol Server for browser automation.
15postgres-mcp
Official PostgreSQL Model Context Protocol Server for database interaction.
14penetration-tester-master
Ultimate Offensive Security Master Skill.
13