api-security-testing

# API Security Testing Workflow ## Overview Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities. ## When to Use This Workflow Use this workflow when: - Testing REST API security - Assessing GraphQL endpoints - Validating API authentication - Testing API rate limiting - Bug bounty API testing ## Workflow Phases ### Phase 1: API Discovery #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `scanning-tools` - API scanning #### Actions 1. Enumerate endpoints 2. Document API methods 3. Identify parameters 4. Map data flows 5. Review documentation #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to discover API endpoints ``` ### Phase 2: Authentication Testing #### Skills to Invoke - `broken-authentication` - Auth testing - `api-security-best-practices` - API auth #### Actions 1. Test API key validation 2. Test JWT tokens 3. Test OAuth2 flows 4. Test token expiration 5. Test refresh tokens #### Copy-Paste Prompts ``` Use @broken-authentication to test API authentication ``` ### Phase 3: Authorization Testing #### Skills to Invoke - `idor-testing` - IDOR testing #### Actions 1. Test object-level authorization 2. Test function-level authorization 3. Test role-based access 4. Test privilege escalation 5. Test multi-tenant isolation #### Copy-Paste Prompts ``` Use @idor-testing to test API authorization ``` ### Phase 4: Input Valida...