>_

api-security-testing

API security testing principles. OWASP API Top 10, authentication, authorization testing.

$ 설치

git clone https://github.com/xenitV1/claude-code-maestro /tmp/claude-code-maestro && cp -r /tmp/claude-code-maestro/skills/api-security-testing ~/.claude/skills/claude-code-maestro

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: api-security-testing description: API security testing principles. OWASP API Top 10, authentication, authorization testing.

API Security Testing

Principles for testing API security.

1. OWASP API Security Top 10

Testing Focus by Category

VulnerabilityTest Focus
API1: BOLAAccess other users' resources
API2: Broken AuthJWT, session, credentials
API3: Property AuthMass assignment, data exposure
API4: Resource ConsumptionRate limiting, DoS
API5: Function AuthAdmin endpoints, role bypass
API6: Business FlowLogic abuse, automation
API7: SSRFInternal network access
API8: MisconfigurationDebug endpoints, CORS
API9: InventoryShadow APIs, old versions
API10: Unsafe ConsumptionThird-party API trust

2. Authentication Testing

JWT Testing Principles

CheckWhat to Test
AlgorithmNone, algorithm confusion
SecretWeak secrets, brute force
ClaimsExpiration, issuer, audience
SignatureManipulation, key injection

Session Testing

CheckWhat to Test
GenerationPredictability
StorageClient-side security
ExpirationTimeout enforcement
InvalidationLogout effectiveness

3. Authorization Testing

Testing Patterns

Test TypeApproach
HorizontalAccess peer users' data
VerticalAccess higher privilege functions
ContextAccess outside allowed scope

BOLA/IDOR Testing

  1. Identify resource IDs in requests
  2. Capture request with user A's session
  3. Replay with user B's session
  4. Check for unauthorized access

4. Input Validation Testing

Injection Types

TypeTest Focus
SQLQuery manipulation
NoSQLDocument queries
CommandSystem commands
LDAPDirectory queries

Testing Approach

  • Test all input parameters
  • Try type coercion
  • Test boundary values
  • Check error messages

5. Rate Limiting Testing

What to Test

AspectCheck
ExistenceIs there any limit?
BypassHeaders, IP rotation
ScopePer-user, per-IP, global
ResponseClear indication

Bypass Techniques to Test

  • X-Forwarded-For header
  • Different HTTP methods
  • Case variations in endpoints
  • API versioning differences

6. GraphQL Security

Specific Tests

TestFocus
IntrospectionSchema disclosure
BatchingQuery DoS
NestingDepth-based DoS
AuthorizationField-level access

7. API Discovery

Finding Undocumented APIs

SourceWhat to Check
DocumentationSwagger, OpenAPI
JavaScriptEmbedded endpoints
Mobile appsDecompiled code
FuzzingCommon patterns

8. Testing Checklist

Authentication

  • Test for bypass
  • Check credential strength
  • Verify token security
  • Test logout

Authorization

  • Test BOLA/IDOR
  • Check privilege escalation
  • Verify function access

Input

  • Test all parameters
  • Check for injection
  • Verify validation

Security Config

  • Check CORS
  • Verify headers
  • Test error handling

9. Anti-Patterns

❌ Don't✅ Do
Test only documented APIsDiscover hidden endpoints
Skip authentication testingTest all auth mechanisms
Ignore rate limitingTest for abuse potential
Trust error messagesVerify actual behavior

Remember: APIs are the backbone of modern apps. Test them like attackers will.

Repository

xenitV1
xenitV1
Author
xenitV1/claude-code-maestro/skills/api-security-testing
62
Stars
15
Forks
Updated5d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
add-uint-support
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
Command Development
anthropics/claude-code
47.9k
Plugin Structure
anthropics/claude-code
47.9k