Does it provide guidance for GraphQL-specific attacks?

Absolutely. It covers GraphQL introspection, schema reconstruction, rate limit bypasses via batching, and nested query DoS attacks.

How does it handle API authentication testing?

It provides workflows for testing different login paths, checking for rate limiting on auth endpoints, and analyzing JWT or token-based security controls.

What types of APIs does this skill support?

The skill provides comprehensive testing techniques for REST, GraphQL, and SOAP protocols, including protocol-specific payloads and reconnaissance methods.

Can this skill help find IDOR vulnerabilities?

Yes, it includes a dedicated section on Insecure Direct Object Reference (IDOR) testing, covering numeric IDs, email-based IDs, and advanced bypass techniques like JSON wrapping.

What tools are recommended for use with this skill?

The skill references industry-standard tools such as Burp Suite, Kiterunner, SecLists, InQL for GraphQL, and specialized scanners like Fuzzapi.

API Security & Bug Bounty Fuzzing

Name: API Security & Bug Bounty Fuzzing
Author: claudiodearaujo

byclaudiodearaujo

0•

Security & Testing

Conducts comprehensive security assessments and fuzzing on REST, SOAP, and GraphQL APIs to identify vulnerabilities like IDOR, SQL injection, and authentication bypasses.

This skill equips Claude with advanced penetration testing methodologies specifically tailored for modern APIs. It provides a structured workflow for reconnaissance, authentication testing, and deep-dive exploitation of common vulnerabilities such as Insecure Direct Object References (IDOR), SSRF, and GraphQL-specific attack vectors. Whether you are a bug bounty hunter or a security engineer, this skill offers actionable payloads, tool recommendations, and bypass techniques to thoroughly audit API endpoints and ensure a robust security posture.

Key Features

01HTTP method tampering and multi-version API authentication bypass strategies

02Automated reconnaissance for Swagger, OpenAPI, and hidden API endpoints

03Injection testing for SQL, XXE, SSRF, and Command Injection within API payloads

04Advanced IDOR and Broken Object Level Authorization (BOLA) testing patterns

050 GitHub stars

06Specialized GraphQL security auditing including introspection and batching attacks

Use Cases

01Automating API endpoint discovery and reconnaissance during penetration tests

02Performing a deep security audit on a production REST or GraphQL API

03Hunting for high-severity vulnerabilities in competitive bug bounty programs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add claudiodearaujo/izacenter api-fuzzing-bug-bounty

For use in Claude.ai and ChatGPT

Download Skill