AgentSkillsCN

API Fuzzing for Bug Bounty

当用户提出“测试 API 安全性”、“对 API 进行模糊测试”、“查找 IDOR 漏洞”、“测试 REST API”、“测试 GraphQL”、“进行 API 渗透测试”、“开展漏洞赏金计划的 API 测试”,或需要获取 API 安全评估相关技巧时,应使用此技能。

SKILL.md
--- frontmatter
name: API Fuzzing for Bug Bounty
description: This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
metadata:
  author: zebbern
  version: 4.1.0-fractal

API Fuzzing for Bug Bounty

Purpose

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.

Inputs/Prerequisites

  • Burp Suite or similar proxy tool
  • API wordlists (SecLists, api_wordlist)
  • Understanding of REST/GraphQL/SOAP protocols
  • Python for scripting
  • Target API endpoints and documentation (if available)

Outputs/Deliverables

  • Identified API vulnerabilities
  • IDOR exploitation proofs
  • Authentication bypass techniques
  • SQL injection points
  • Unauthorized data access documentation

API Types Overview

TypeProtocolData FormatStructure
SOAPHTTPXMLHeader + Body
RESTHTTPJSON/XML/URLDefined endpoints
GraphQLHTTPCustom QuerySingle endpoint

Core Workflow

🧠 Knowledge Modules (Fractal Skills)

1. Step 1: API Reconnaissance

2. Step 2: Authentication Testing

3. Step 3: IDOR Testing

4. Step 4: Injection Testing

5. Step 5: Method Testing

6. Introspection Query

7. GraphQL IDOR

8. GraphQL SQL/NoSQL Injection

9. Rate Limit Bypass (Batching)

10. GraphQL DoS (Nested Queries)

11. GraphQL XSS

12. GraphQL Tools

13. PDF Export Attacks

14. DoS via Limits

15. Example 1: IDOR Exploitation

16. Example 2: GraphQL Introspection