[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-31530f91-a016-4a77-9ea4-74b785ed36c0":3,"$feqmbybmN-NBtjFblYGHMRuTFM8KlaKfAmDPE--hr0UY":42},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":33},"31530f91-a016-4a77-9ea4-74b785ed36c0","api-security-testing","REST和GraphQL API的安全测试工作流程，涵盖身份验证、授权、速率限制、输入验证和安全最佳实践。","cat_coding_backend","mod_coding","sickn33,coding","---\nname: api-security-testing\ndescription: \"API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.\"\ncategory: granular-workflow-bundle\nrisk: safe\nsource: personal\ndate_added: \"2026-02-27\"\n---\n\n# API Security Testing Workflow\n\n## Overview\n\nSpecialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.\n\n## When to Use This Workflow\n\nUse this workflow when:\n- Testing REST API security\n- Assessing GraphQL endpoints\n- Validating API authentication\n- Testing API rate limiting\n- Bug bounty API testing\n\n## Workflow Phases\n\n### Phase 1: API Discovery\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - API fuzzing\n- `scanning-tools` - API scanning\n\n#### Actions\n1. Enumerate endpoints\n2. Document API methods\n3. Identify parameters\n4. Map data flows\n5. Review documentation\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to discover API endpoints\n```\n\n### Phase 2: Authentication Testing\n\n#### Skills to Invoke\n- `broken-authentication` - Auth testing\n- `api-security-best-practices` - API auth\n\n#### Actions\n1. Test API key validation\n2. Test JWT tokens\n3. Test OAuth2 flows\n4. Test token expiration\n5. Test refresh tokens\n\n#### Copy-Paste Prompts\n```\nUse @broken-authentication to test API authentication\n```\n\n### Phase 3: Authorization Testing\n\n#### Skills to Invoke\n- `idor-testing` - IDOR testing\n\n#### Actions\n1. Test object-level authorization\n2. Test function-level authorization\n3. Test role-based access\n4. Test privilege escalation\n5. Test multi-tenant isolation\n\n#### Copy-Paste Prompts\n```\nUse @idor-testing to test API authorization\n```\n\n### Phase 4: Input Validation\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - API fuzzing\n- `sql-injection-testing` - Injection testing\n\n#### Actions\n1. Test parameter validation\n2. Test SQL injection\n3. Test NoSQL injection\n4. Test command injection\n5. Test XXE injection\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to fuzz API parameters\n```\n\n### Phase 5: Rate Limiting\n\n#### Skills to Invoke\n- `api-security-best-practices` - Rate limiting\n\n#### Actions\n1. Test rate limit headers\n2. Test brute force protection\n3. Test resource exhaustion\n4. Test bypass techniques\n5. Document limitations\n\n#### Copy-Paste Prompts\n```\nUse @api-security-best-practices to test rate limiting\n```\n\n### Phase 6: GraphQL Testing\n\n#### Skills to Invoke\n- `api-fuzzing-bug-bounty` - GraphQL fuzzing\n\n#### Actions\n1. Test introspection\n2. Test query depth\n3. Test query complexity\n4. Test batch queries\n5. Test field suggestions\n\n#### Copy-Paste Prompts\n```\nUse @api-fuzzing-bug-bounty to test GraphQL security\n```\n\n### Phase 7: Error Handling\n\n#### Skills to Invoke\n- `api-security-best-practices` - Error handling\n\n#### Actions\n1. Test error messages\n2. Check information disclosure\n3. Test stack traces\n4. Verify logging\n5. Document findings\n\n#### Copy-Paste Prompts\n```\nUse @api-security-best-practices to audit API error handling\n```\n\n## API Security Checklist\n\n- [ ] Authentication working\n- [ ] Authorization enforced\n- [ ] Input validated\n- [ ] Rate limiting active\n- [ ] Errors sanitized\n- [ ] Logging enabled\n- [ ] CORS configured\n- [ ] HTTPS enforced\n\n## Quality Gates\n\n- [ ] All endpoints tested\n- [ ] Vulnerabilities documented\n- [ ] Remediation provided\n- [ ] Report generated\n\n## Related Workflow Bundles\n\n- `security-audit` - Security auditing\n- `web-security-testing` - Web security\n- `api-development` - API development\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,125,197,"2026-05-16 13:03:31",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":25,"skillCount":32,"createdAt":26},"后端开发","backend","mdi-server","API、数据库、服务端架构",296,[34],{"id":35,"skillId":4,"version":36,"fileName":37,"fileSize":38,"filePath":39,"fileHash":40,"manifest":41,"createdAt":19},"f251a7b9-b87f-4701-9805-db2e9c25c55a","1.0.0","api-security-testing.zip",1504,"uploads\u002Fskills\u002F31530f91-a016-4a77-9ea4-74b785ed36c0\u002Fapi-security-testing.zip","658c0b7df4d3eb8785041fea0c5312d4bed123605fae6dd2b1f239b1842da979","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":3925}]",{"code":43,"message":44,"data":45},200,"success",{"items":46,"stats":47,"page":50},[],{"averageRating":48,"totalRatings":48,"ratingCounts":49},0,[48,48,48,48,48],{"limit":51,"offset":48,"hasMore":52,"nextOffset":51,"ratedOnly":16},15,false]