Can I use this for IDOR (BOLA) detection?

Absolutely. It provides systematic workflows to test for Broken Object Level Authorization using various techniques such as wrapping IDs in arrays, JSON wrapping, and parameter pollution.

What API protocols are covered by this skill?

The skill provides comprehensive coverage for REST, SOAP, and GraphQL protocols, offering specific attack vectors, reconnaissance patterns, and testing payloads for each.

Does this skill support GraphQL security testing?

Yes, it includes specialized modules for GraphQL introspection, batching bypasses, schema reconstruction, and testing for common GraphQL-specific vulnerabilities like nested query DoS.

Is it useful for finding undocumented API endpoints?

Yes, it guides you through reconnaissance using tools like Kiterunner and Swagger parsers to discover hidden, legacy, or developer-only endpoints that often lack security controls.

Does it help bypass 403 Forbidden or 401 Unauthorized errors?

Yes, it includes a dedicated 'Endpoint Bypass' section that suggests techniques using URL encoding, path traversal (..;/), and header manipulation to test the robustness of access controls.

API Security & Fuzzing Specialist

Name: API Security & Fuzzing Specialist
Author: claudiodearaujo

byclaudiodearaujo

0•

セキュリティとテスト

Provides expert guidance and automated workflows for security auditing, fuzzing, and vulnerability discovery across REST, SOAP, and GraphQL APIs.

The API Security & Fuzzing skill equips developers and security researchers with a robust framework for identifying critical vulnerabilities in modern web APIs. It streamlines the discovery of Broken Object Level Authorization (BOLA/IDOR), SQL injection, and authentication bypasses while providing specialized logic for GraphQL introspection and schema reconstruction. Whether you're conducting a bug bounty hunt or performing a professional penetration test, this skill guides you through systematic reconnaissance, method tampering, and advanced bypass techniques to ensure comprehensive security coverage and compliance with OWASP API Top 10 standards.

主な機能

01Specialized injection testing workflows for SQL, XXE, and SSRF within API payloads.

02Automated reconnaissance for hidden API endpoints and documentation like Swagger/OpenAPI.

03Comprehensive GraphQL security testing including introspection, batching, and DoS prevention.

04Systematic IDOR (BOLA) discovery using JSON wrapping and parameter pollution techniques.

05Advanced bypass strategies for 401/403 errors and rate limiting controls.

060 GitHub stars

ユースケース

01Auditing REST and GraphQL backend services for authorization and authentication flaws.

02Conducting professional API penetration testing and bug bounty hunting engagements.

03Hardening API security posture by identifying undocumented endpoints and legacy versions.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add claudiodearaujo/sistema-de-narra-o-de-livro-front api-fuzzing-bug-bounty

For use in Claude.ai and ChatGPT

Download Skill

主な機能

01Specialized injection testing workflows for SQL, XXE, and SSRF within API payloads.

02Automated reconnaissance for hidden API endpoints and documentation like Swagger/OpenAPI.

03Comprehensive GraphQL security testing including introspection, batching, and DoS prevention.

04Systematic IDOR (BOLA) discovery using JSON wrapping and parameter pollution techniques.

05Advanced bypass strategies for 401/403 errors and rate limiting controls.

060 GitHub stars

ユースケース

01Auditing REST and GraphQL backend services for authorization and authentication flaws.

02Conducting professional API penetration testing and bug bounty hunting engagements.

03Hardening API security posture by identifying undocumented endpoints and legacy versions.