// API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques.
| name | api-security |
| description | API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques. |
Test API endpoints for security vulnerabilities across REST, GraphQL, WebSocket, and LLM-integrated APIs.
| Type | Key Vectors |
|---|---|
| GraphQL | Introspection, batching attacks, nested query DoS, field suggestion |
| REST API | BOLA/IDOR, mass assignment, rate limiting, auth bypass, versioning |
| WebSocket | Cross-site hijacking, message manipulation, auth flaws |
| Web-LLM | Prompt injection via API, excessive agency, data exfiltration |
reference/graphql*.md - GraphQL attack techniques and labsreference/scenarios/rest/*.md - REST API security testing (BOLA/BOPLA, mass assignment, SSPP, content-type confusion)reference/websockets*.md - WebSocket vulnerability testingreference/web-llm*.md - Web-LLM attack techniques and labsStitches confirmed single-asset findings into multi-hop attack paths across the organization. Builds a graph where nodes are assets and edges are confirmed exploit hops citing the findings that enable them.
Authentication security testing - auth bypass, JWT attacks, OAuth flaws, password attacks, 2FA bypass, CAPTCHA bypass, and bot detection evasion.
Cloud and container security testing - AWS, Azure, GCP, Docker, and Kubernetes misconfigurations and exploitation.
Pentest coordination — orchestrates executor and validator agents with context-controlled spawning. Entry point for all engagements.
Cryptanalysis techniques — lattice attacks, padding oracles, weak-RNG exploitation, signature forgery, secret-sharing recovery.
Retrieve CVE risk scores from NVD. Auto-invoked whenever a CVE ID is mentioned to display CVSS score, severity, CWE, and description.