Does it support testing for privilege escalation?

Absolutely. The skill includes methodologies for testing both horizontal and vertical privilege escalation by manipulating tokens and object identifiers.

Is it suitable for testing microservices?

It is specifically designed for modern architectures, making it perfect for auditing microservices security, inter-service communication, and containerized API gateways.

Can I use this for automated fuzzing?

Yes, it provides integration patterns and commands for popular tools like ffuf, wfuzz, and Arjun to discover hidden parameters and endpoints automatically.

Does it include a security checklist?

Yes, the skill features a comprehensive checklist covering authentication, authorization, input validation, and business logic to ensure no vulnerability is overlooked.

Can this skill help with GraphQL introspection?

Yes, it provides specific queries and commands to perform full introspection and analyze the resulting schema for hidden types and fields.

API Security Testing

Name: API Security Testing
Author: trilwu

bytrilwu

安全与测试

Conducts comprehensive security audits and penetration tests on REST and GraphQL APIs to identify vulnerabilities like IDOR, injection, and authorization flaws.

关于

This skill transforms Claude into an expert API penetration testing assistant, providing structured methodologies for auditing REST and GraphQL services. It covers the entire security lifecycle from initial reconnaissance and endpoint discovery to deep-dive exploitation of vulnerabilities like mass assignment, horizontal/vertical privilege escalation, and rate-limiting bypasses. It is ideal for security researchers, developers performing self-audits, and QA engineers looking to integrate security testing into their microservices workflow using specialized tools and proven security patterns.

主要功能

0 GitHub stars
Rate limiting analysis and bypass strategy implementation
Automated injection testing patterns for SQL, NoSQL, and XXE
GraphQL-specific exploitation including introspection and DoS analysis
Comprehensive REST and GraphQL reconnaissance and endpoint discovery
Structured methodologies for IDOR and privilege escalation testing

使用场景

Performing a deep security audit on a new GraphQL endpoint before production deployment
Testing microservices for Insecure Direct Object Reference (IDOR) vulnerabilities
Automating API fuzzing and parameter discovery during the pentesting phase

关于

主要功能

0 GitHub stars
Rate limiting analysis and bypass strategy implementation
Automated injection testing patterns for SQL, NoSQL, and XXE
GraphQL-specific exploitation including introspection and DoS analysis
Comprehensive REST and GraphQL reconnaissance and endpoint discovery
Structured methodologies for IDOR and privilege escalation testing

使用场景

Performing a deep security audit on a new GraphQL endpoint before production deployment
Testing microservices for Insecure Direct Object Reference (IDOR) vulnerabilities
Automating API fuzzing and parameter discovery during the pentesting phase