What tools are recommended to use alongside this skill?

This skill provides guidance for using industry-standard tools like Burp Suite, Kiterunner, SecLists, InQL, and GraphCrawler to maximize testing efficiency.

Is this skill suitable for beginner bug bounty hunters?

Yes, it offers a structured, step-by-step workflow from reconnaissance to exploitation, making complex API security concepts accessible and actionable.

Does it handle GraphQL-specific threats?

Absolutely. It covers introspection queries for schema discovery, batching for rate limit bypass, and nested query testing for Denial of Service (DoS) vulnerabilities.

What types of APIs does this skill support?

It supports REST, SOAP, and GraphQL APIs, providing specific testing patterns, reconnaissance methods, and exploitation payloads tailored for each protocol.

Can this skill help find IDOR vulnerabilities?

Yes, it includes advanced techniques for identifying Insecure Direct Object Reference (IDOR) such as JSON wrapping, parameter pollution, and wildcard injection.

API Security Fuzzing & Bug Bounty Toolkit

Name: API Security Fuzzing & Bug Bounty Toolkit
Author: claudiodearaujo

byclaudiodearaujo

0•

Security & Testing

Conducts comprehensive security assessments and fuzzing on REST, GraphQL, and SOAP APIs to identify vulnerabilities like IDOR, injection, and authentication bypasses.

This skill equips Claude with advanced methodologies for API security testing, specifically tailored for bug bounty hunters and penetration testers. It provides structured workflows for reconnaissance, authentication bypass, and exploiting complex vulnerabilities such as Insecure Direct Object Reference (IDOR), SQL injection within JSON payloads, and GraphQL-specific attack vectors like introspection abuse and query batching. By leveraging this skill, users can systematically audit API endpoints, discover hidden documentation, and implement robust security checks across various protocols to identify critical security flaws before they can be exploited.

Key Features

01Automated API reconnaissance and endpoint enumeration using Kiterunner and Swagger parsers

02Comprehensive GraphQL security auditing covering introspection, nested query DoS, and batching bypasses

03Multi-protocol support for REST, SOAP, and GraphQL with protocol-specific injection payloads

040 GitHub stars

05Advanced IDOR testing patterns including parameter pollution and JSON wrapping techniques

06Detailed endpoint bypass strategies for overcoming 403 Forbidden and 401 Unauthorized responses

Use Cases

01Performing deep security audits on production API environments during bug bounty engagements

02Reconstructing GraphQL schemas and testing for business logic flaws in modern headless architectures

03Identifying and documenting Broken Object Level Authorization (BOLA/IDOR) in complex web applications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add claudiodearaujo/izacenter api-fuzzing-bug-bounty

For use in Claude.ai and ChatGPT

Key Features

01Automated API reconnaissance and endpoint enumeration using Kiterunner and Swagger parsers

02Comprehensive GraphQL security auditing covering introspection, nested query DoS, and batching bypasses

03Multi-protocol support for REST, SOAP, and GraphQL with protocol-specific injection payloads

040 GitHub stars

05Advanced IDOR testing patterns including parameter pollution and JSON wrapping techniques

06Detailed endpoint bypass strategies for overcoming 403 Forbidden and 401 Unauthorized responses

Use Cases

01Performing deep security audits on production API environments during bug bounty engagements

02Reconstructing GraphQL schemas and testing for business logic flaws in modern headless architectures

03Identifying and documenting Broken Object Level Authorization (BOLA/IDOR) in complex web applications