Can this skill help identify IDOR vulnerabilities?

Yes, it includes specialized workflows for testing Broken Object Level Authorization (BOLA/IDOR), including techniques like JSON wrapping, parameter pollution, and wildcard injection.

What tools are recommended for use with this skill?

It references industry-standard tools such as Burp Suite, Kiterunner, SecLists, and various specialized GraphQL scanners like clairvoyance and graphw00f.

How does it assist with GraphQL security testing?

It provides introspection queries to map schemas, instructions for using tools like InQL and GraphCrawler, and methods for testing rate limit bypasses through query batching.

What API protocols does this skill support?

The skill provides comprehensive coverage for REST, SOAP, and GraphQL protocols, offering specific attack vectors, payload structures, and reconnaissance techniques for each.

Does it provide guidance for bypassing access controls?

Yes, the skill includes a dedicated section for endpoint bypass techniques to navigate 403 Forbidden or 401 Unauthorized responses using path and header manipulation.

API Security & Bug Bounty Fuzzing

Name: API Security & Bug Bounty Fuzzing
Author: zebbern

byzebbern

•

2,883

•

安全与测试

Provides comprehensive techniques and automated workflows for identifying vulnerabilities in REST, GraphQL, and SOAP APIs.

This skill equips Claude with advanced penetration testing methodologies specifically tailored for API security assessments and bug bounty hunting. It enables users to perform deep reconnaissance, test for Broken Object Level Authorization (BOLA/IDOR), execute injection attacks within JSON/XML payloads, and navigate complex GraphQL schemas. Whether you are auditing undocumented endpoints or bypassing authentication controls, this skill provides the payloads, tool references, and tactical guidance needed to uncover critical security flaws in modern web services.

主要功能

01Advanced IDOR and BOLA bypass technique generation and testing

02Comprehensive checklist for API-specific injection (SQLi, XXE, SSRF)

032,883 GitHub stars

04Multi-protocol support for REST, SOAP, and GraphQL security assessments

05Strategic bypass methods for 403 Forbidden and 401 Unauthorized errors

06Specialized GraphQL introspection and schema reconstruction workflows

使用场景

01Performing deep security analysis on GraphQL endpoints, including batching and nested query attacks

02Automating API reconnaissance and endpoint enumeration during a security audit

03Testing complex authorization logic to find hidden IDOR vulnerabilities in web applications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add zebbern/claude-code-guide api-fuzzing-bug-bounty

For use in Claude.ai and ChatGPT

Download Skill