Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

pentest-api-deep

Name: Pentest Api Deep
Author: jd-opensource

// Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.

Ejecutar en Manus

$ git log --oneline --stat

stars:276

forks:53

updated:11 de febrero de 2026, 09:17

Explorador de archivos

3 archivos

SKILL.md

readonly

name	pentest-api-deep
description	Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.

Pentest API Deep

Purpose

Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).

Prerequisites

Authorization Requirements

Written authorization with API testing scope explicitly included
API documentation (OpenAPI/Swagger specs, GraphQL schema) if available
Test accounts at multiple privilege levels (user, admin, service account)
Rate limit awareness — confirm acceptable request volume with target owner

Environment Setup

Postman or Insomnia for manual API exploration
Burp Suite with API-specific extensions
GraphQL Voyager for schema visualization
grpcurl for gRPC service testing

Core Workflow

API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.

OWASP API Security Top 10 (2023) Coverage

Category	Test Focus	Status
API1 Broken Object Level Authorization	IDOR via API params	✅
API2 Broken Authentication	Token/key weaknesses	✅
API3 Broken Object Property Level Authorization	Mass assignment, excessive data	✅
API4 Unrestricted Resource Consumption	Rate limits, complexity	✅
API5 Broken Function Level Authorization	BFLA, method switching	✅
API6 Unrestricted Access to Sensitive Business Flows	Automation abuse	✅
API7 Server Side Request Forgery	API-triggered SSRF	✅
API8 Security Misconfiguration	CORS, headers, versioning	✅
API9 Improper Inventory Management	Shadow APIs, deprecated versions	✅
API10 Unsafe Consumption of Third-Party APIs	Upstream injection	✅

Tool Categories

Category	Tools	Purpose
API Discovery	Kiterunner, Swagger UI, GraphQL Voyager	Endpoint enumeration
Parameter Discovery	Arjun, x8, ParamSpider	Hidden parameter detection
Fuzzing	ffuf, Burp Intruder, custom scripts	Mass assignment, BFLA
GraphQL	graphql-cop, InQL, BatchQL	GraphQL-specific attacks
gRPC	grpcurl, grpc-tools	gRPC reflection and testing
Rate Testing	custom aiohttp scripts, Turbo Intruder	Rate limit verification

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors

related-skills.json

mismo repositorio

skill-creator.md

from "jd-opensource/JoySafeter"

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.

2026-03-26276

openclaw-security-checker.md

from "jd-opensource/JoySafeter"

OpenClaw 安全检测工具，基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性

2026-03-13276

openclaw-threat-detect.md

from "jd-opensource/JoySafeter"

OpenClaw 攻击模式检测工具，识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为，支持 MITRE ATT&CK 映射

2026-03-13276

skill-security-auditor.md

from "jd-opensource/JoySafeter"

OpenClaw Skills 全方位安全审计工具，检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险

2026-03-13276

planning-with-files.md

from "jd-opensource/JoySafeter"

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.

2026-02-13276

pentest-ai-llm-security.md

from "jd-opensource/JoySafeter"

AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.

2026-02-11276

package.json

"author": "jd-opensource"

"repository": "jd-opensource/JoySafeter"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

$ useful --forSOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas15-1212L4

Pentest API Deep

Purpose

Prerequisites

Authorization Requirements

Written authorization with API testing scope explicitly included

API documentation (OpenAPI/Swagger specs, GraphQL schema) if available

Test accounts at multiple privilege levels (user, admin, service account)

Rate limit awareness — confirm acceptable request volume with target owner

Environment Setup

Postman or Insomnia for manual API exploration

Burp Suite with API-specific extensions

GraphQL Voyager for schema visualization

grpcurl for gRPC service testing

Core Workflow

API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.

BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).

Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).

Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.

Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.

Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.

API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.

OWASP API Security Top 10 (2023) Coverage

pentest-api-deep

Pentest API Deep

Purpose

Prerequisites

Authorization Requirements

Environment Setup

Core Workflow

OWASP API Security Top 10 (2023) Coverage

Tool Categories

References

Más de este repositorio

Más de este repositorio

Pentest API Deep

Purpose

Prerequisites

Authorization Requirements

Environment Setup

Core Workflow

OWASP API Security Top 10 (2023) Coverage

Tool Categories

References