api-breaker

Solid

Automated API security testing starting from domains. Discovers REST, GraphQL, and SOAP APIs, reconstructs schemas, and tests for BOLA/IDOR, BFLA, mass assignment, JWT attacks, rate limiting bypass, and business logic flaws. Use when user asks to "test API security", "break API", "find API vulnerabilities", "test GraphQL", "test JWT", "API pentest", or provides domains with API endpoints. For authorized testing only.

API & Backend 29 stars 1 forks Updated today MIT

Install

View on GitHub

Quality Score: 85/100

Stars 20%
49
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# API Breaker Intelligent API security testing. Discovers, maps, and exploits API vulnerabilities. ## Important CRITICAL: Only test APIs you have explicit authorization to test. ## Instructions ### Step 1: API Discovery ```bash python scripts/api_discovery.py --domain {target_domain} ``` Discovery methods: 1. **Path fuzzing**: /api/, /v1/, /v2/, /graphql, /rest/, /swagger.json, /openapi.json, /api-docs 2. **JavaScript analysis**: Parse JS files for hardcoded API endpoints, base URLs, fetch/axios calls 3. **Wayback Machine**: Historical API endpoints that may still be active 4. **Common patterns**: /{resource}s, /{resource}/{id}, /{resource}/{id}/{subresource} 5. **GraphQL detection**: /graphql, /graphiql, /playground, /api/graphql 6. **Documentation endpoints**: Swagger, OpenAPI, WADL, WSDL For each discovered API: - Record base URL, authentication method, content type - Detect API standard (REST, GraphQL, gRPC-web, SOAP) ### Step 2: Schema Reconstruction ```bash python scripts/schema_builder.py --api-base {api_url} ``` Even without documentation: 1. Send requests with varying parameters and observe responses 2. Analyze error messages for expected field names/types 3. Use OPTIONS/HEAD to discover allowed methods 4. Test content negotiation (JSON, XML, form-encoded) 5. GraphQL: Send introspection query to get full schema Output: Reconstructed API schema in OpenAPI format. ### Step 3: Authentication Analysis ```bash python scripts/auth_analyzer.py --api-base {api_...

Details

Author
KaQus
Repository
KaQus/claude-code-pentest
Created
2 years ago
Last Updated
today
Language
Python
License
MIT

Integrates with

GraphQL · API gRPC · API

Related Skills

API & Backend Featured

design-postgis-tables

Comprehensive PostGIS spatial table design reference covering geometry types, coordinate systems, spatial indexing, and performance patterns for location-based applications

1,742 Updated 4 days ago
timescale
API & Backend Featured

find-hypertable-candidates

Use this skill to analyze an existing PostgreSQL database and identify which tables should be converted to Timescale/TimescaleDB hypertables. **Trigger when user asks to:** - Analyze database tables for hypertable conversion potential - Identify time-series or event tables in an existing schema - Evaluate if a table would benefit from Timescale/TimescaleDB - Audit PostgreSQL tables for migration to Timescale/TimescaleDB/TigerData - Score or rank tables for hypertable candidacy **Keywords:** hypertable candidate, table analysis, migration assessment, Timescale, TimescaleDB, time-series detection, insert-heavy tables, event logs, audit tables Provides SQL queries to analyze table statistics, index patterns, and query patterns. Includes scoring criteria (8+ points = good candidate) and pattern recognition for IoT, events, transactions, and sequential data.

1,742 Updated 4 days ago
timescale
API & Backend Featured

moai-domain-backend

Backend development specialist covering API design, database integration, microservices architecture, and modern backend patterns. Use when designing APIs, implementing server logic, authentication, or authorization.

1,030 Updated today
modu-ai