api security

Skill

API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques.

Files40
  • @skills/api-security/SKILL.md
  • @skills/api-security/reference/INDEX.md
  • @skills/api-security/reference/api-security-principles.md
  • @skills/api-security/reference/graphql-resources.md
  • @skills/api-security/reference/owasp-api-top10-coverage.md
  • @skills/api-security/reference/scenarios/graphql/auth-bypass-and-injection.md
  • @skills/api-security/reference/scenarios/graphql/csrf-and-content-type.md
  • @skills/api-security/reference/scenarios/graphql/dos-and-batching.md
  • @skills/api-security/reference/scenarios/graphql/endpoint-discovery.md
  • @skills/api-security/reference/scenarios/graphql/idor-and-mass-enumeration.md
  • @skills/api-security/reference/scenarios/graphql/introspection-and-bypass.md
  • @skills/api-security/reference/scenarios/graphql/rate-limit-bypass.md
  • @skills/api-security/reference/scenarios/graphql/schema-reconstruction.md
  • @skills/api-security/reference/scenarios/mcp/inspector-stdio-rce.md
  • @skills/api-security/reference/scenarios/rest/api-recon-and-discovery.md
  • @skills/api-security/reference/scenarios/rest/content-type-confusion-xxe.md
  • @skills/api-security/reference/scenarios/rest/cors-misconfiguration.md
  • @skills/api-security/reference/scenarios/rest/exposed-documentation.md
  • @skills/api-security/reference/scenarios/rest/https-downgrade-redirect-hsts.md
  • @skills/api-security/reference/scenarios/rest/mass-assignment.md
  • @skills/api-security/reference/scenarios/rest/mattermost-slash-command-dialog-hijack.md
  • @skills/api-security/reference/scenarios/rest/options-method-enumeration.md
  • @skills/api-security/reference/scenarios/rest/owasp-bola-bopla.md
  • @skills/api-security/reference/scenarios/rest/sspp-query-string.md
  • @skills/api-security/reference/scenarios/rest/sspp-rest-path.md
  • @skills/api-security/reference/scenarios/rest/unauth-existence-oracle.md
  • @skills/api-security/reference/scenarios/rest/unauthenticated-webhook-oracle.md
  • @skills/api-security/reference/scenarios/rest/verbose-error-schema-disclosure.md
  • @skills/api-security/reference/scenarios/rest/waf-bypass-techniques.md
  • @skills/api-security/reference/scenarios/web-llm/insecure-output-xss.md
  • @skills/api-security/reference/scenarios/web-llm/os-command-injection-via-llm.md
  • @skills/api-security/reference/scenarios/web-llm/prompt-injection-direct.md
  • @skills/api-security/reference/scenarios/web-llm/prompt-injection-indirect.md
  • @skills/api-security/reference/scenarios/web-llm/sqli-via-llm.md
  • @skills/api-security/reference/scenarios/websocket/auth-bypass-and-handshake-tricks.md
  • @skills/api-security/reference/scenarios/websocket/cswsh.md
  • @skills/api-security/reference/scenarios/websocket/discovery-and-handshake.md
  • @skills/api-security/reference/scenarios/websocket/message-injection.md
  • @skills/api-security/reference/web-llm-attacks-resources.md
  • @skills/api-security/reference/websockets-resources.md

API Security

Test API endpoints for security vulnerabilities across REST, GraphQL, WebSocket, and LLM-integrated APIs.

Techniques

TypeKey Vectors
GraphQLIntrospection, batching attacks, nested query DoS, field suggestion
REST APIBOLA/IDOR, mass assignment, rate limiting, auth bypass, versioning
WebSocketCross-site hijacking, message manipulation, auth flaws
Web-LLMPrompt injection via API, excessive agency, data exfiltration

Workflow

  1. Discover API endpoints and documentation (Swagger, GraphQL schema)
  2. Map authentication and authorization mechanisms
  3. Test per API type using appropriate techniques
  4. Validate data exposure and access control flaws
  5. Capture evidence with HTTP request/response logs

Reference

  • reference/graphql*.md - GraphQL attack techniques and labs
  • reference/scenarios/rest/*.md - REST API security testing (BOLA/BOPLA, mass assignment, SSPP, content-type confusion)
  • reference/websockets*.md - WebSocket vulnerability testing
  • reference/web-llm*.md - Web-LLM attack techniques and labs
api-security — Kortix Marketplace | Kortix