API Fuzzing for Bug Bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
Overall
score
18%
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
API Fuzzing for Bug Bounty
Purpose
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Inputs/Prerequisites
- Burp Suite or similar proxy tool
- API wordlists (SecLists, api_wordlist)
- Understanding of REST/GraphQL/SOAP protocols
- Python for scripting
- Target API endpoints and documentation (if available)
Outputs/Deliverables
- Identified API vulnerabilities
- IDOR exploitation proofs
- Authentication bypass techniques
- SQL injection points
- Unauthorized data access documentation
API Types Overview
| Type | Protocol | Data Format | Structure |
|---|---|---|---|
| SOAP | HTTP | XML | Header + Body |
| REST | HTTP | JSON/XML/URL | Defined endpoints |
| GraphQL | HTTP | Custom Query | Single endpoint |
Core Workflow
🧠 Knowledge Modules (Fractal Skills)
1. Step 1: API Reconnaissance
2. Step 2: Authentication Testing
3. Step 3: IDOR Testing
4. Step 4: Injection Testing
5. Step 5: Method Testing
6. Introspection Query
7. GraphQL IDOR
8. GraphQL SQL/NoSQL Injection
9. Rate Limit Bypass (Batching)
10. GraphQL DoS (Nested Queries)
11. GraphQL XSS
12. GraphQL Tools
13. PDF Export Attacks
14. DoS via Limits
15. Example 1: IDOR Exploitation
16. Example 2: GraphQL Introspection
- Repository
- github.com/Dokhacgiakhoa/antigravity-ide
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.