pentest-api-deep

Original：🇺🇸 English

Translated

Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.

2installs

Sourcejd-opensource/joysafeter

Added on2026-03-01

NPX Install

npx skill4agent add jd-opensource/joysafeter pentest-api-deep

SKILL.md Content

View Translation Comparison →

Pentest API Deep

Purpose

Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).

Prerequisites

Authorization Requirements

Written authorization with API testing scope explicitly included
API documentation (OpenAPI/Swagger specs, GraphQL schema) if available
Test accounts at multiple privilege levels (user, admin, service account)
Rate limit awareness — confirm acceptable request volume with target owner

Environment Setup

Postman or Insomnia for manual API exploration
Burp Suite with API-specific extensions
GraphQL Voyager for schema visualization
grpcurl for gRPC service testing

Core Workflow

API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.

OWASP API Security Top 10 (2023) Coverage

Category	Test Focus	Status
API1 Broken Object Level Authorization	IDOR via API params	✅
API2 Broken Authentication	Token/key weaknesses	✅
API3 Broken Object Property Level Authorization	Mass assignment, excessive data	✅
API4 Unrestricted Resource Consumption	Rate limits, complexity	✅
API5 Broken Function Level Authorization	BFLA, method switching	✅
API6 Unrestricted Access to Sensitive Business Flows	Automation abuse	✅
API7 Server Side Request Forgery	API-triggered SSRF	✅
API8 Security Misconfiguration	CORS, headers, versioning	✅
API9 Improper Inventory Management	Shadow APIs, deprecated versions	✅
API10 Unsafe Consumption of Third-Party APIs	Upstream injection	✅

Tool Categories

Category	Tools	Purpose
API Discovery	Kiterunner, Swagger UI, GraphQL Voyager	Endpoint enumeration
Parameter Discovery	Arjun, x8, ParamSpider	Hidden parameter detection
Fuzzing	ffuf, Burp Intruder, custom scripts	Mass assignment, BFLA
GraphQL	graphql-cop, InQL, BatchQL	GraphQL-specific attacks
gRPC	grpcurl, grpc-tools	gRPC reflection and testing
Rate Testing	custom aiohttp scripts, Turbo Intruder	Rate limit verification

References

```
references/tools.md
```
- Tool function signatures and parameters
```
references/workflows.md
```
- Attack pattern definitions and test vectors