API Fuzzing for Bug Bounty
Purpose
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Inputs/Prerequisites
- •Burp Suite or similar proxy tool
- •API wordlists (SecLists, api_wordlist)
- •Understanding of REST/GraphQL/SOAP protocols
- •Python for scripting
- •Target API endpoints and documentation (if available)
Outputs/Deliverables
- •Identified API vulnerabilities
- •IDOR exploitation proofs
- •Authentication bypass techniques
- •SQL injection points
- •Unauthorized data access documentation
API Types Overview
| Type | Protocol | Data Format | Structure |
|---|---|---|---|
| SOAP | HTTP | XML | Header + Body |
| REST | HTTP | JSON/XML/URL | Defined endpoints |
| GraphQL | HTTP | Custom Query | Single endpoint |