Can this skill help identify IDOR vulnerabilities?

Yes, it includes specialized workflows for testing Broken Object Level Authorization (BOLA/IDOR), including techniques like JSON wrapping, parameter pollution, and wildcard injection.

What tools are recommended for use with this skill?

It references industry-standard tools such as Burp Suite, Kiterunner, SecLists, and various specialized GraphQL scanners like clairvoyance and graphw00f.

How does it assist with GraphQL security testing?

It provides introspection queries to map schemas, instructions for using tools like InQL and GraphCrawler, and methods for testing rate limit bypasses through query batching.

What API protocols does this skill support?

The skill provides comprehensive coverage for REST, SOAP, and GraphQL protocols, offering specific attack vectors, payload structures, and reconnaissance techniques for each.

Does it provide guidance for bypassing access controls?

Yes, the skill includes a dedicated section for endpoint bypass techniques to navigate 403 Forbidden or 401 Unauthorized responses using path and header manipulation.

API Security & Bug Bounty Fuzzing

Name: API Security & Bug Bounty Fuzzing
Author: zebbern

byzebbern

•

2,883

安全与测试

Provides comprehensive techniques and automated workflows for identifying vulnerabilities in REST, GraphQL, and SOAP APIs.

关于

This skill equips Claude with advanced penetration testing methodologies specifically tailored for API security assessments and bug bounty hunting. It enables users to perform deep reconnaissance, test for Broken Object Level Authorization (BOLA/IDOR), execute injection attacks within JSON/XML payloads, and navigate complex GraphQL schemas. Whether you are auditing undocumented endpoints or bypassing authentication controls, this skill provides the payloads, tool references, and tactical guidance needed to uncover critical security flaws in modern web services.

主要功能

Advanced IDOR and BOLA bypass technique generation and testing
Comprehensive checklist for API-specific injection (SQLi, XXE, SSRF)
2,883 GitHub stars
Multi-protocol support for REST, SOAP, and GraphQL security assessments
Strategic bypass methods for 403 Forbidden and 401 Unauthorized errors
Specialized GraphQL introspection and schema reconstruction workflows

使用场景

Performing deep security analysis on GraphQL endpoints, including batching and nested query attacks
Automating API reconnaissance and endpoint enumeration during a security audit
Testing complex authorization logic to find hidden IDOR vulnerabilities in web applications

关于

主要功能

Advanced IDOR and BOLA bypass technique generation and testing
Comprehensive checklist for API-specific injection (SQLi, XXE, SSRF)
2,883 GitHub stars
Multi-protocol support for REST, SOAP, and GraphQL security assessments
Strategic bypass methods for 403 Forbidden and 401 Unauthorized errors
Specialized GraphQL introspection and schema reconstruction workflows

使用场景

Performing deep security analysis on GraphQL endpoints, including batching and nested query attacks
Automating API reconnaissance and endpoint enumeration during a security audit
Testing complex authorization logic to find hidden IDOR vulnerabilities in web applications