Stats
Actions
Tags
From cybersec-toolkit
Guides bug-bounty API testing for REST, GraphQL, gRPC, WebSocket. Covers OWASP API Top 10: BOLA, BFLA, mass assignment, rate limiting, JWT, GraphQL abuse.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:bounty-apiThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```bash
# Mobile app reverse → APK / IPA → look for endpoints
# JS bundle inspection
katana -u https://target.com -jc -silent | grep -E "/api/|/v1/|/graphql"
LinkFinder -i https://target.com/app.js -o cli
# Common paths
ffuf -w api-paths.txt -u https://target.com/FUZZ -mc 200,401,403
# /api, /api/v1, /v1, /graphql, /rest, /rpc, /swagger.json, /openapi.json,
# /api-docs, /redoc, /docs, /.well-known/
# Schema endpoints (huge if found)
curl https://target.com/swagger.json
curl https://target.com/openapi.json
curl -X POST https://target.com/graphql -d '{"query":"{__schema{types{name}}}"}'
If you find a swagger/openapi/graphql introspection — that IS the attack surface map. Use kiterunner to brute API routes if not.
For every endpoint with an ID:
# Login as user A. Get user B's resource.
curl -H "Authorization: Bearer $A_TOKEN" https://api/users/$B_ID
Try: numeric→numeric swap, UUID enumeration via Wayback/JS, encoded ID decoding.
Mass assignment:
# Sign-up sends: {"email": "...", "password": "..."}
# Try: {"email": "...", "password": "...", "is_admin": true, "role": "admin"}
Excessive exposure: GET /users/me returns entire user object including hashed password / secret_question_answer / internal_notes — report it.
Endpoints that allow ?limit=99999, deeply nested GraphQL queries, expensive operations without rate limit.
Admin endpoints (POST /admin/users, DELETE /admin/posts/N) accessed as regular user.
Anti-automation gaps: bulk-creating accounts, scraping product data, mass-redeeming gift cards.
Any endpoint that takes a URL parameter (avatar URL, webhook URL, OAuth callback, image proxy) → SSRF target. See bounty-web SSRF section.
Access-Control-Allow-Origin: * with Allow-Credentials: true is a vulnTRACE, OPTIONS revealing infoOld API versions with weaker auth (/api/v1/) alongside new (/api/v2/). Test the old version.
When the target API consumes a third-party API and trusts its response — SSRF chains, prototype pollution from upstream.
# Introspection (if not disabled)
graphql-cop -t https://target/graphql
graphw00f https://target/graphql
clairvoyance https://target/graphql -w wordlist.txt # if introspection is off
# Common issues
# 1. Introspection enabled in prod
# 2. No query depth limit → DoS
# 3. Batched queries bypassing rate limit
# 4. Fields exposed without auth
# 5. Mutations callable from queries (some impls)
# 6. Field-level authz missing — anonymous user fetches private fields
Useful tools: inql (Burp ext), gqlmap, BatchQL.
jwt_tool $TOKEN # decode + checks
jwt_tool $TOKEN -X a # alg=none
jwt_tool $TOKEN -X i # weak HMAC, brute
jwt_tool $TOKEN -X k -pk pubkey.pem # key confusion (RS256→HS256)
jwt_tool $TOKEN -X kid # kid injection
Also test: kid path traversal (kid: "../../../../dev/null" → empty key), JKU/X5U server-controlled injection.
X-Forwarded-For: 1.2.3.4, X-Real-IP, X-Originating-IP, X-Client-IP, X-Remote-IPUser-Agent (some rate limiters key on UA+IP)/login vs /login/)kiterunner, arjun, nuclei, mitmproxy, BurpSuite (commercial), inql, graphql-cop, clairvoyance, jwt_tool, Postman/Hoppscotch for repro.
Always include the exact request (method, path, headers, body). Mask tokens but show the structure. Demonstrate impact with two accounts (attacker + victim) where applicable.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitAssesses REST, GraphQL, and gRPC API endpoints against OWASP API Security Top 10 risks using automated and manual testing techniques.
Assesses REST, GraphQL, and gRPC API endpoints against OWASP API Security Top 10 risks using automated and manual testing techniques.
Tests REST, SOAP, and GraphQL APIs for vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors during bug bounty and penetration testing.