Skills
skills/thinkfleetai/thinkfleet-engine/api-security

api-security

SKILL.md

API Security

Test and audit API endpoints for common security vulnerabilities.

Authentication Testing

Test for broken authentication

# Test endpoint without auth (should return 401)
curl -s -o /dev/null -w "%{http_code}" https://api.example.com/protected

# Test with expired token
curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer expired.token.here" https://api.example.com/protected

# Test with empty auth header
curl -s -o /dev/null -w "%{http_code}" -H "Authorization: " https://api.example.com/protected

# Test JWT without signature verification (alg:none attack)
# Header: {"alg":"none","typ":"JWT"} Base64: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
curl -s -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxIn0." https://api.example.com/protected

Authorization Testing (IDOR)

# Test accessing another user's resource (replace IDs)
curl -s -H "Authorization: Bearer $USER_A_TOKEN" https://api.example.com/users/USER_B_ID | jq .

# Test sequential ID enumeration
for id in $(seq 1 10); do
  echo "ID $id: $(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: Bearer $TOKEN" https://api.example.com/resources/$id)"
done

Input Validation

SQL injection probes

# Test string parameter
curl -s "https://api.example.com/search?q=test'%20OR%201=1--" | jq .

# Test numeric parameter
curl -s "https://api.example.com/items/1%20OR%201=1" | jq .

XSS via API

# Test reflected input in response
curl -s -X POST https://api.example.com/comments \
  -H "Content-Type: application/json" \
  -d '{"text":"<script>alert(1)</script>"}' | jq .

Command injection

# Test parameter injection
curl -s "https://api.example.com/ping?host=localhost;whoami" | jq .

Rate Limiting Check

# Send rapid requests and check for 429
for i in $(seq 1 50); do
  code=$(curl -s -o /dev/null -w "%{http_code}" https://api.example.com/endpoint)
  echo "Request $i: $code"
  [ "$code" = "429" ] && echo "Rate limited at request $i" && break
done

Security Headers Check

# Check response headers
curl -s -I https://api.example.com/ | grep -iE "^(strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy)"

Expected secure headers:

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy

CORS Misconfiguration

# Test with arbitrary origin
curl -s -I -H "Origin: https://evil.com" https://api.example.com/ | grep -i "access-control"

# Check if credentials are allowed with wildcard
curl -s -I -H "Origin: https://evil.com" https://api.example.com/ | grep -iE "(access-control-allow-origin|access-control-allow-credentials)"

SSL/TLS Check

# Check certificate and protocol
curl -vI https://api.example.com 2>&1 | grep -E "(SSL|TLS|subject|expire|issuer)"

# Test for weak protocols (should fail)
curl -v --tlsv1.0 --tls-max 1.0 https://api.example.com 2>&1 | tail -5

Notes

  • Only test APIs you own or have explicit authorization to test.
  • Start with non-destructive tests (GET requests, header checks) before injection tests.
  • Document all findings with request/response pairs.
  • False positives are common — verify each finding manually.
  • Check API documentation for intended security model before testing.
Weekly Installs
2
Repository
thinkfleetai/th…t-engine
First Seen
13 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
opencode2
gemini-cli2
claude-code2
github-copilot2
codex2
kimi-cli2