菜单
API security testing and validation for REST/GraphQL/gRPC endpoints, contract testing, load testing, fuzzing, and Postman/Bruno/Hurl workflows
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | api-testing |
| description | API security testing and validation for REST/GraphQL/gRPC endpoints, contract testing, load testing, fuzzing, and Postman/Bruno/Hurl workflows |
| version | 1.0.0 |
| model | sonnet |
| invoked_by | both |
| user_invocable | true |
| tools | ["Read","Write","Bash","Glob","Grep"] |
| agents | ["developer","qa","security-architect"] |
| category | Validation & Quality |
| tags | ["api-testing","security","postman","contract-testing","load-testing","fuzzing","rest","graphql","grpc"] |
| best_practices | ["Test authentication and authorization on every endpoint","Use contract tests to catch breaking changes before deployment","Run load tests against staging, never production","Fuzz boundary conditions (empty strings, max integers, unicode)"] |
| error_handling | graceful |
| source | builtin |
| trust_score | 100 |
| provenance_sha | 65133b6e97f991e4 |
Comprehensive API testing and security validation skill covering REST, GraphQL, and gRPC endpoints. Provides structured workflows for functional testing, contract testing, load testing, fuzzing, and OWASP API Top 10 security checks using Bruno, Hurl, k6, Postman, and httpie.
Skill({ skill: 'api-testing' });
Invoke when:
| Tool | Purpose | Install |
|---|---|---|
| Bruno | Git-native API collection runner | npm i -g @usebruno/cli |
| Hurl | Plain-text HTTP test runner | cargo install hurl or pkg |
| k6 | JavaScript-based load testing | brew install k6 |
| httpie | Human-friendly curl replacement | pip install httpie |
| Zap | OWASP automated security scanner | Docker or standalone binary |
| Nuclei | Template-driven vuln scanner | go install nuclei |
Command:
# Try OpenAPI spec first
curl -s http://localhost:3000/openapi.json | jq '.info.title, .paths | keys'
# Or check for AsyncAPI / GraphQL introspection
curl -s -X POST http://localhost:4000/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}' | jq '.data.__schema.types[].name'
Expected output: List of API paths or type names confirming the spec is reachable. Verify: Exit code 0, valid JSON returned.
Write a .hurl file per endpoint group. Each file tests success, error, and boundary cases.
Example — tests/api/users.hurl:
# Create user — success path
POST http://localhost:3000/api/users
Content-Type: application/json
{
"name": "Alice",
"email": "alice@example.com"
}
HTTP 201
[Asserts]
header "Content-Type" contains "application/json"
jsonpath "$.id" isInteger
jsonpath "$.email" == "alice@example.com"
# Missing required field — error path
POST http://localhost:3000/api/users
Content-Type: application/json
{}
HTTP 422
[Asserts]
jsonpath "$.errors[0].field" == "email"
# Boundary: extremely long name
POST http://localhost:3000/api/users
Content-Type: application/json
{
"name": "A",
"email": "b@c.io"
}
HTTP 422
Run:
hurl --test tests/api/users.hurl --variable base_url=http://localhost:3000
Expected output: users.hurl: Success (3 tests, 3 assertions)
Verify: Exit code 0, all assertions pass.
Define consumer-driven contracts to catch breaking changes.
Consumer test (Jest + Pact):
// tests/contract/user-api.consumer.test.js
const { Pact } = require('@pact-foundation/pact');
const { getUserById } = require('../../src/api/users');
const provider = new Pact({
consumer: 'frontend-app',
provider: 'user-api',
port: 4000,
});
describe('User API contract', () => {
beforeAll(() => provider.setup());
afterAll(() => provider.finalize());
it('returns a user by ID', async () => {
await provider.addInteraction({
state: 'user 42 exists',
uponReceiving: 'GET /users/42',
withRequest: { method: 'GET', path: '/users/42' },
willRespondWith: {
status: 200,
body: { id: 42, name: 'Alice', email: 'alice@example.com' },
},
});
const user = await getUserById(42);
expect(user.id).toBe(42);
await provider.verify();
});
});
Run:
npx jest tests/contract/ --forceExit
Expected output: All contract tests pass; pact file written to ./pacts/.
Run this checklist against every new API surface. Document PASS / FAIL for each item.
| # | Risk | Test Command |
|---|---|---|
| API1 | Broken Object Level Auth | hurl tests/security/bola.hurl — access resource with wrong user token |
| API2 | Broken Auth | hurl tests/security/auth.hurl — expired token, no token, invalid signature |
| API3 | Broken Object Property Auth | hurl tests/security/mass-assignment.hurl — send admin fields in POST body |
| API4 | Unrestricted Resource Consumption | k6 run tests/load/burst.js — spike to 1000 RPS and verify rate limiting returns 429 |
| API5 | Broken Function Level Auth | hurl tests/security/flauth.hurl — call admin endpoints as regular user |
| API6 | Unrestricted Access to Sensitive Business Flows | hurl tests/security/business-flow.hurl — replay/race critical operations |
| API7 | Server Side Request Forgery | hurl tests/security/ssrf.hurl — supply internal URLs as callback parameters |
| API8 | Security Misconfiguration | Check response headers: curl -I http://localhost:3000/api/health |
| API9 | Improper Inventory Management | Compare OpenAPI spec endpoints vs. live server: npx @stoplight/spectral lint openapi.json |
| API10 | Unsafe Consumption of APIs | Review all third-party API calls for input validation and response schema checks |
Verify API8 headers:
curl -sI http://localhost:3000/api/health | grep -E "X-Content-Type|X-Frame|Strict-Transport|Content-Security"
Expected: All four security headers present.
File — tests/load/baseline.js:
import http from 'k6/http';
import { check, sleep } from 'k6';
export const options = {
stages: [
{ duration: '30s', target: 50 }, // ramp up
{ duration: '1m', target: 50 }, // steady state
{ duration: '15s', target: 0 }, // ramp down
],
thresholds: {
http_req_duration: ['p(95)<500'], // 95th percentile < 500ms
http_req_failed: ['rate<0.01'], // error rate < 1%
},
};
export default function () {
const res = http.get('http://localhost:3000/api/users', {
headers: { Authorization: `Bearer ${__ENV.API_TOKEN}` },
});
check(res, {
'status 200': r => r.status === 200,
'response time OK': r => r.timings.duration < 500,
});
sleep(1);
}
Run:
API_TOKEN=test_token k6 run tests/load/baseline.js
Expected output: Summary table showing thresholds pass (green). Abort if thresholds fail (red).
# Introspection enabled? (should be disabled in production)
curl -s -X POST http://localhost:4000/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { queryType { name } } }"}' | jq '.data'
# Depth-limit bypass (send deeply nested query)
hurl tests/security/graphql-depth.hurl
# Batching abuse
curl -s -X POST http://localhost:4000/graphql \
-H "Content-Type: application/json" \
-d '[{"query":"{ user(id:1) { name } }"},{"query":"{ user(id:2) { name } }"}]' | jq length
Expected: Introspection returns null or 403 in production. Batch query returns 400 if batching is disabled.
# Run OWASP API template pack
nuclei -u http://localhost:3000 \
-t nuclei-templates/http/vulnerabilities/ \
-t nuclei-templates/http/misconfiguration/ \
-severity medium,high,critical \
-o .claude/context/reports/backend/api-fuzz-$(date +%Y-%m-%d).md
Expected output: Report written; review all [medium]+ findings before marking complete.
--variable, __ENV, .env)# Use grpcurl for gRPC endpoint testing
grpcurl -plaintext localhost:50051 list # discover services
grpcurl -plaintext localhost:50051 describe mypackage.MyService # inspect service
grpcurl -d '{"name":"Alice"}' localhost:50051 mypackage.MyService/GetUser
# mTLS enforcement check — verify both-way cert validation
grpcurl -cert client.crt -key client.key -cacert ca.crt \
myservice.example.com:443 mypackage.MyService/GetUser
# Fuzz gRPC: send wrong field types, missing required fields
grpcurl -d '{"name": null}' localhost:50051 mypackage.MyService/GetUser
Expected: Server returns NOT_FOUND or INVALID_ARGUMENT, not INTERNAL. mTLS rejects requests without valid client cert.
security-architect — full STRIDE threat modeling and penetration test orchestrationtdd — write failing tests before implementing endpoint changesqa-workflow — systematic QA validation with fix loopsk8s-security-policies — network policy and pod security for API servicesInput validated against schemas/input.schema.json before execution (when run via script).
Output contract defined in schemas/output.schema.json.
Before starting any API testing task, search for existing test suites and known patterns:
pnpm search:code "hurl OR k6 OR nuclei OR pact"
pnpm search:code "api security test"
Use Skill({ skill: 'ripgrep' }) for fast pattern matching across test files. Use Skill({ skill: 'code-semantic-search' }) to find existing security test logic by intent.
Before starting any task, you must query semantic memory and read recent static memory:
node .claude/lib/memory/memory-search.cjs "api security testing endpoint validation"
Read .claude/context/memory/learnings.md
Read .claude/context/memory/decisions.md
Check for previously discovered API security issues, known endpoint patterns, and tool version gotchas.
After completing work, record findings:
.claude/context/memory/learnings.md.claude/context/memory/issues.md.claude/context/memory/decisions.mdDuring long tasks: Use .claude/context/memory/active_context.md as scratchpad.
ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.
Creates structured plans from requirements. Generates comprehensive plans with steps, dependencies, risks, and success criteria. Coordinates with specialist agents for planning input and validates plan completeness. Uses template-renderer for formatted output.
Create, validate, and convert skills for the agent ecosystem. Enforces standardized structure for consistency. Enables self-evolution by creating new skills on demand, converting MCP servers and codebases to skills.
Research-backed skill refresh workflow for updating existing skills with TDD checkpoints, memory-aware integration, and EVOLVE/reflection trigger handling.
Ensure accessibility in UI components including semantic HTML, ARIA attributes, keyboard navigation, and WCAG 2.2 AA compliance.
Use when you want to improve response quality through meta-cognitive reasoning. Applies 15+ reasoning methods to reconsider and refine initial outputs.
N-round opposing-stance debates for trade-off analysis. Assigns pro/con roles to agents, runs structured debate rounds with quality scoring, and produces a moderator synthesis with confidence-rated recommendation. Generalizable to architecture, technology, security, and design decisions.