pentest-apilisted

API security testing — REST/GraphQL/WebSocket, OWASP API Top 10, JWT/OAuth analysis, mass assignment, broken object-level authorization advisory. Triggers on API pentest, OWASP API, REST security, GraphQL test, WebSocket, JWT analysis, OAuth flow, BOLA, BFLA, mass assignment.
fatihkan/badi · ★ 5 · AI & Automation · score 76

Install: claude install-skill fatihkan/badi

# pentest-api REST + GraphQL + WebSocket security testing methodology. Focused on OWASP API Security Top 10 (2023). ## Triggers - "API pentest" - "OWASP API Top 10" - "GraphQL introspection" - "JWT swap attempt" - "OAuth flow test" - "BOLA / BFLA" - "mass assignment" - "WebSocket security" ## OWASP API Top 10 (2023) | # | Category | Test Approach | |---|----------|---------------| | API1 | BOLA (Broken Object Level Auth) | /users/123 -> /users/124 enum, unauthorized data access | | API2 | Broken Authentication | Token replay, JWT manipulation, brute force endpoint | | API3 | Broken Object Property Level Auth | Mass assignment (admin: true), excessive exposure | | API4 | Unrestricted Resource Consumption | Missing rate limit, pagination size, file upload size | | API5 | BFLA (Broken Function Level Auth) | Is /admin/* reachable with a user role | | API6 | Unrestricted Business Flows | Bizlogic exploit (delegate to pentest-bizlogic) | | API7 | SSRF | URL parameter cloud metadata reach | | API8 | Security Misconfig | Verbose error, CORS *, default endpoint | | API9 | Improper Inventory | v1/v2 same endpoint, different auth, shadow API | | API10 | Unsafe Consumption of 3rd Party API | API key exfil, response trust | ## REST Test Methodology ``` 1. Find the spec document: /swagger.json, /openapi.yaml, /api-docs 2. List endpoints + auth requirements 3. BOLA: numeric ID enum (user_id, doc_id, order_id) 4. BFLA: role change (cookie/header swap) 5. Rate limit: 100 requests/sec w