conducting-api-security-testing

Featured

Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization, rate limiting, input validation, and business logic. The tester uses the OWASP API Security Top 10 as the testing framework, combining Burp Suite interception with Postman collections and custom scripts to test endpoint security at every privilege level. Activates for requests involving API security testing, REST API pentest, GraphQL security assessment, or API vulnerability testing.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Conducting API Security Testing ## When to Use - Testing API endpoints for authorization flaws, injection vulnerabilities, and business logic bypasses - Assessing the security of microservices architecture where APIs are the primary communication method - Validating that API gateway protections (rate limiting, authentication, input validation) are properly enforced - Testing third-party API integrations for data exposure and insecure configurations - Evaluating GraphQL APIs for introspection disclosure, query complexity attacks, and authorization bypasses **Do not use** against APIs without written authorization, for load testing or denial-of-service testing unless explicitly scoped, or for testing production APIs that process real financial transactions without safeguards. ## Prerequisites - API documentation (OpenAPI/Swagger, GraphQL schema, Postman collection) or application access to reverse-engineer the API - Burp Suite Professional configured to intercept API traffic with JSON/XML content type handling - Postman or Insomnia for organizing and replaying API requests across different authentication contexts - Valid API tokens or credentials at multiple privilege levels (unauthenticated, standard user, admin) - Target API base URL and version information ## Workflow ### Step 1: API Discovery and Documentation Map the complete API attack surface: - **Import API documentation**: Load OpenAPI/Swagger specs into Postman or Burp Suite to catalog all endpoints, method...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GraphQL · API REST API · API gRPC · API

Similar Skills

Semantically similar based on skill content — not just same category

Testing & QA Featured

testing-api-security-with-owasp-top-10

Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.

12,642 Updated today
mukul975
Testing & QA Featured

api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

39,227 Updated today
sickn33
Testing & QA Featured

api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

27,681 Updated today
davila7
Testing & QA Listed

api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

335 Updated today
aiskillstore
AI & Automation Listed

api-security-testing

Security testing checklist for HTTP APIs—authn/z, input validation, rate limits, sensitive data exposure, and common OWASP API issues. Use when reviewing or testing REST/GraphQL endpoints before release.

15 Updated yesterday
charlieviettq