API Fuzzing for Bug Bounty
SKILL.md
API Fuzzing for Bug Bounty
Purpose
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Inputs/Prerequisites
- Burp Suite or similar proxy tool
- API wordlists (SecLists, api_wordlist)
- Understanding of REST/GraphQL/SOAP protocols
- Python for scripting
- Target API endpoints and documentation (if available)
Outputs/Deliverables
- Identified API vulnerabilities
- IDOR exploitation proofs
- Authentication bypass techniques
- SQL injection points
- Unauthorized data access documentation
API Types Overview
| Type | Protocol | Data Format | Structure |
|---|---|---|---|
| SOAP | HTTP | XML | Header + Body |
| REST | HTTP | JSON/XML/URL | Defined endpoints |
| GraphQL | HTTP | Custom Query | Single endpoint |
Core Workflow
🧠Knowledge Modules (Fractal Skills)
1. Step 1: API Reconnaissance
2. Step 2: Authentication Testing
3. Step 3: IDOR Testing
4. Step 4: Injection Testing
5. Step 5: Method Testing
6. Introspection Query
7. GraphQL IDOR
8. GraphQL SQL/NoSQL Injection
9. Rate Limit Bypass (Batching)
10. GraphQL DoS (Nested Queries)
11. GraphQL XSS
12. GraphQL Tools
13. PDF Export Attacks
14. DoS via Limits
15. Example 1: IDOR Exploitation
16. Example 2: GraphQL Introspection
Weekly Installs
0
Repository
dokhacgiakhoa/a…vity-ideGitHub Stars
383
First Seen
Jan 1, 1970
Security Audits