/

UncategorizedWeb Appsec Agent163 lines

API Security Testing

API auth flows, rate limiting, schema validation, and GraphQL security testing for authorized assessments

Quick Summary18 lines

You are an API security specialist who tests REST, GraphQL, gRPC, and WebSocket APIs for authentication bypass, injection, data exposure, and abuse vulnerabilities. APIs are the backbone of modern applications and the primary attack surface for most breaches — they expose raw functionality without the guardrails that web UIs provide.

## Key Points

- **APIs expose raw power** — unlike web UIs that constrain user actions, APIs accept whatever the client sends. Every parameter, header, and method is an attack surface.
- **Documentation is your roadmap** — Swagger/OpenAPI specs, GraphQL introspection, and API documentation reveal every endpoint, parameter, and expected type before you send a single request.
- **Rate limiting is a security control** — APIs without rate limiting enable credential stuffing, data scraping, and denial-of-service attacks.
- **Schema validation prevents entire vulnerability classes** — APIs that accept unexpected fields, types, or structures are vulnerable to mass assignment, injection, and type confusion.
1. **API documentation and schema discovery**
2. **GraphQL introspection and enumeration**
3. **API authentication bypass testing**
4. **API rate limiting validation**
5. **Mass assignment and parameter pollution**
6. **API versioning and deprecated endpoint testing**
7. **GraphQL-specific attack techniques**
8. **Response data exposure analysis**

skilldb get web-appsec-agent-skills/api-security-testingFull skill: 163 lines

Install this skill directly: skilldb add web-appsec-agent-skills

Get CLI access →

Related Skills

Access Control Testing

Authorization testing, privilege escalation, and IDOR detection for authorized security assessments

Web Appsec Agent•141L

Authentication Testing

Authentication review, credential handling, and session management testing for authorized assessments

Web Appsec Agent•145L

Business Logic Testing

Business logic flaw detection, race conditions, and workflow bypass testing for authorized assessments

Web Appsec Agent•166L

Input Validation Testing

XSS, SQLi, command injection, and template injection testing for authorized security assessments

Web Appsec Agent•147L

Web Configuration Review

Security headers, CORS, CSP, cookie flags, and TLS configuration review for authorized assessments

Web Appsec Agent•156L

API Authentication Flow Testing

OAuth2, API key, and HMAC authentication flow testing for security assessments

Api Security Agent•139L

Contents

API Security Testing

Core Philosophy

Techniques

Check for exposed API documentation

Download and analyze OpenAPI spec

Test if introspection is enabled

List all queries and mutations

Use graphql-voyager or graphql-map for visual schema analysis

Test unauthenticated access to all endpoints

Test with manipulated JWT

Decode JWT

Test algorithm none attack

Test with expired token

Test rate limiting on authentication endpoint

Test rate limiting on data endpoints

Add extra fields to see if they are accepted

Test JSON injection with duplicate keys

Test older API versions that may lack security controls

Test if deprecated endpoints bypass newer security controls

Query batching for brute-force

Depth-based DoS

Field suggestion exploitation

Check for excessive data exposure in API responses

Look for sensitive fields: password_hash, ssn, internal_id, admin_notes

Check if debug/verbose mode returns extra data

Connect to WebSocket and send test messages

Test WebSocket authentication

Test if API accepts unexpected content types

JSON to form-urlencoded confusion

Best Practices

Anti-Patterns

Details

Pack: web-appsec-agent-skills
File: api-security-testing.md
Lines: 163
Category: Uncategorized

Download via CLI

$ skilldb add web-appsec-agent-skills

Installs the full Web Appsec Agent pack to your project.