pentest-api-deep

Original source / Raw SKILL.md

---
name: pentest-api-deep
description: Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
---

# Pentest API Deep

## Purpose
Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).

## Prerequisites

### Authorization Requirements
- **Written authorization** with API testing scope explicitly included
- **API documentation** (OpenAPI/Swagger specs, GraphQL schema) if available
- **Test accounts** at multiple privilege levels (user, admin, service account)
- **Rate limit awareness** — confirm acceptable request volume with target owner

### Environment Setup
- Postman or Insomnia for manual API exploration
- Burp Suite with API-specific extensions
- GraphQL Voyager for schema visualization
- grpcurl for gRPC service testing

## Core Workflow
1. **API Discovery**: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
2. **BFLA Testing**: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
3. **Mass Assignment**: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
4. **Rate Limiting & Resource**: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
5. **Excessive Data Exposure**: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
6. **Unsafe Consumption**: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
7. **API Versioning**: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.

## OWASP API Security Top 10 (2023) Coverage

| Category | Test Focus | Status |
|----------|-----------|--------|
| API1 Broken Object Level Authorization | IDOR via API params | ✅ |
| API2 Broken Authentication | Token/key weaknesses | ✅ |
| API3 Broken Object Property Level Authorization | Mass assignment, excessive data | ✅ |
| API4 Unrestricted Resource Consumption | Rate limits, complexity | ✅ |
| API5 Broken Function Level Authorization | BFLA, method switching | ✅ |
| API6 Unrestricted Access to Sensitive Business Flows | Automation abuse | ✅ |
| API7 Server Side Request Forgery | API-triggered SSRF | ✅ |
| API8 Security Misconfiguration | CORS, headers, versioning | ✅ |
| API9 Improper Inventory Management | Shadow APIs, deprecated versions | ✅ |
| API10 Unsafe Consumption of Third-Party APIs | Upstream injection | ✅ |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| API Discovery | Kiterunner, Swagger UI, GraphQL Voyager | Endpoint enumeration |
| Parameter Discovery | Arjun, x8, ParamSpider | Hidden parameter detection |
| Fuzzing | ffuf, Burp Intruder, custom scripts | Mass assignment, BFLA |
| GraphQL | graphql-cop, InQL, BatchQL | GraphQL-specific attacks |
| gRPC | grpcurl, grpc-tools | gRPC reflection and testing |
| Rate Testing | custom aiohttp scripts, Turbo Intruder | Rate limit verification |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/tools.md

```markdown
# Tools

## Common Response Fields

All tool functions return:
- `success` (bool): Whether the operation completed
- `stdout` (str): Standard output from the tool
- `stderr` (str): Error output if any
- `exit_code` (int): Process exit code

---

## API Discovery Tools

### kiterunner_scan(target, wordlist, method)
Discover API endpoints using context-aware content discovery.
- `target` (str): Base URL to scan
- `wordlist` (str): Kiterunner wordlist path (default: "routes-large.kite")
- `method` (str): HTTP methods to test "GET,POST,PUT,DELETE"
- `headers` (dict): Custom headers `{"Authorization": "Bearer ..."}`
- `max_redirects` (int): Maximum redirects to follow (default: 3)
- `delay_ms` (int): Delay between requests (default: 0)

### graphql_introspect(target, headers)
Query GraphQL introspection to extract full schema.
- `target` (str): GraphQL endpoint URL
- `headers` (dict): Auth headers `{"Authorization": "Bearer ..."}`
- `depth` (int): Introspection query depth (default: 7)
- `output_format` (str): "json" | "sdl" (default: "json")

### arjun_discover(target, method, headers)
Discover hidden API parameters via fuzzing.
- `target` (str): Target endpoint URL
- `method` (str): HTTP method "GET" | "POST" | "JSON"
- `headers` (dict): Custom headers
- `wordlist` (str): Parameter wordlist path (default: built-in)
- `stable` (bool): Use stable mode for reliable results (default: True)
- `threads` (int): Concurrent threads (default: 5)

---

## GraphQL Testing Tools

### graphql_cop(target, headers)
Audit GraphQL endpoint for common security misconfigurations.
- `target` (str): GraphQL endpoint URL
- `headers` (dict): Auth headers
- `checks` (list): Specific checks to run (default: all)

### batchql(target, query, batch_size)
Test GraphQL batching attacks for rate limit bypass.
- `target` (str): GraphQL endpoint URL
- `query` (str): GraphQL query to batch
- `batch_size` (int): Number of queries per batch (default: 10)
- `headers` (dict): Auth headers

---

## gRPC Tools

### grpcurl_list(target, tls)
List available gRPC services via reflection.
- `target` (str): gRPC server address "host:port"
- `tls` (bool): Use TLS (default: True)
- `cert` (str): Client certificate path (optional)

### grpcurl_call(target, service, method, data)
Invoke a gRPC method with custom data.
- `target` (str): gRPC server address
- `service` (str): Service name
- `method` (str): Method name
- `data` (str): JSON request body
- `headers` (dict): Metadata headers

```

### references/workflows.md

```markdown
# Workflows

## API Security Attack Patterns

## AI-assisted selection

1. Discover all API endpoints via specs, introspection, and traffic analysis.
2. Classify each endpoint by auth level, data sensitivity, and function type.
3. Select attack patterns based on OWASP API Top 10 mapping.
4. Execute: discovery → BFLA → mass assignment → rate limit → data exposure → unsafe consumption.

---

## bfla_testing

Test Broken Function Level Authorization — access admin functions as regular user.

- kiterunner_scan: method "GET,POST,PUT,DELETE,PATCH"
- test_vectors:
  - Call admin-only endpoints with regular user token
  - HTTP method switching: GET /users → DELETE /users/{id}
  - Add /admin/ prefix to known user endpoints
  - Replace /user/ with /admin/ in endpoint paths
  - Test X-HTTP-Method-Override header to bypass method restrictions

## mass_assignment_testing

Test whether APIs accept and process extra fields not intended for user input.

- arjun_discover: method "JSON", stable True
- test_vectors:
  - Add "role": "admin" to user registration/update POST body
  - Add "isAdmin": true, "verified": true to profile update
  - Add "balance": 99999, "credits": 100 to account endpoints
  - Add "price": 0 to order/product creation
  - Compare request schema vs response schema for hidden fields

## rate_limit_resource_abuse

Test API rate limiting and resource consumption controls.

- batchql: batch_size 100
- test_vectors:
  - Send 100+ identical requests in 1 second to sensitive endpoints
  - GraphQL query depth abuse: nested queries 10+ levels deep
  - GraphQL batching: 50 mutations in single request
  - Pagination abuse: page_size=999999
  - Regex DoS: send crafted input to search/filter endpoints

## excessive_data_exposure

Test whether APIs return more data than the client needs.

- test_vectors:
  - Compare API response fields vs UI-displayed fields
  - Request user profile as admin vs regular user — diff responses
  - Check for internal IDs, timestamps, debug info in responses
  - Test verbose error messages revealing stack traces or DB schema
  - Check if filtering happens client-side vs server-side

```