Open Skills Logo
Open Skills

API Fuzzing for Bug Bounty

This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.

Author

zebbern

Category

Development Tools

Install

Hot:5

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-api-fuzzing-bug-bounty&locale=en&source=copy

API Fuzzing for Bug Bounty - Complete Guide to API Vulnerability Hunting

Skill Overview


This is a skill guide specifically for API security testing and vulnerability hunting, covering the three mainstream API protocols: REST, SOAP, and GraphQL. It provides a complete technical approach from endpoint discovery to vulnerability exploitation, suitable for bug bounty hunting and penetration testing engagements.

Applicable Scenarios


  • Bug Bounty Hunting

    • When participating in bug bounty programs on platforms like HackerOne and Bugcrowd, use this skillset to quickly find high-risk API vulnerabilities such as IDOR, authentication bypass, and injection flaws to improve the success rate of submissions.

  • API Penetration Testing

    • In authorized security assessments, perform comprehensive security evaluations of an enterprise’s REST APIs and GraphQL interfaces to find undisclosed endpoints, privilege bypasses, data leaks, and other security issues.

  • Mobile App API Security

    • Test the security of mobile app backend APIs, differentiate security control differences between mobile and web APIs, and discover mobile-specific authentication bypasses and authorization flaws.

    Core Features


  • API Endpoint Discovery and Enumeration

    • Automatically discover Swagger/OpenAPI documentation, use Kiterunner for path brute-forcing, extract hidden endpoints from JavaScript files, support detecting different API versions (/v1, /v2, /v3) and identifying security differences.

  • Common Exploitation Techniques

    • Covers IDOR bypass techniques (array wrapping, parameter pollution, wildcard injection), SQL/NoSQL injection detection, command injection, XXE, SSRF, and parser vulnerabilities triggered by modifying the Content-Type.

  • GraphQL Specialized Testing

    • Provides GraphQL introspection queries, schema reconstruction, bulk-request bypasses for rate limiting, nested query DoS, GraphQL SQL injection, and other GraphQL-specific attack techniques.

    Frequently Asked Questions

    Where do I start with API vulnerability hunting?


    Start with API reconnaissance: check for publicly exposed docs like /swagger.json or /api-docs, then use tools like Kiterunner for endpoint enumeration. Distinguish the target API type (REST/GraphQL/SOAP) and collect endpoints for all versions (v1/v2/v3).

    How to find hidden API endpoints?


    Besides standard directory brute-forcing, inspect frontend JavaScript files for hard-coded API calls, use archive.org to view historical versions of interfaces, and test common API paths like /api/mobile/ and /api/v3/. Mobile APIs often differ from web APIs and tend to have weaker security controls.

    What are some IDOR bypass techniques?


    Basic IDOR testing is modifying the user ID parameter (e.g., /api/users/1234 → /api/users/1235). Bypass techniques include: wrapping the ID as an array {"id":[111]}, parameter pollution ?id=&id=, using wildcards {"user_id":"*"}, and replacing numeric IDs with email addresses to test type confusion.

    How to perform security testing on GraphQL APIs?


    First attempt an introspection query to obtain the full schema: {__schema{types{name,fields{name}}}}. If introspection is disabled, use tools like clairvoyance to reconstruct the schema. Then test bulk queries to bypass rate limits, nested queries to cause DoS, and GraphQL-specific injection attacks.

    What are common methods for API authentication bypass?


    Test different login endpoint paths (/api/mobile/login, /api/v3/login), check for rate limiting, and test authentication differences between mobile and web APIs. For 403/401 responses, try adding a .json suffix, adding empty parameters, or path traversal/obfuscation (..;/) and other tricks.

    Can Burp Suite test APIs?


    Yes. Use Burp's Repeater to manually test API requests, install the InQL extension for GraphQL testing, and pair with the API Fuzzer plugin for automated fuzzing. It is recommended to add the X-Requested-With: XMLHttpRequest header to simulate frontend requests.

    Are API vulnerabilities valuable in bug bounty programs?


    API vulnerabilities are highly valuable in bug bounty programs—especially IDORs (which can lead to large-scale data exposure) and authentication bypasses (which can lead to full account takeover) that often receive high rewards. Vulnerabilities in GraphQL, mobile APIs, and undocumented endpoints are often overlooked and easier to find.

    How to detect SQL injection in an API?


    Inject SQL syntax into JSON parameters: {"id":"56456 AND 1=1#"} versus {"id":"56456 AND 1=2#"}; if responses differ significantly, a vulnerability may exist. Time-based blind injection can use sleep(15) for detection. Note that API SQL injection may appear in unexpected parameters.