technical see the announcement →
Hacking APIs
Hacking APIs: Breaking Web Application Programming Interfaces · ·340 pages
Complete API security testing methodology — from discovery through authentication attacks, BOLA/BFLA, mass assignment, injection, GraphQL-specific attacks, and rate limit bypass. Includes a comprehensive testing checklist.
Capabilities (9)
- › Discover APIs via Swagger, JS files, mobile apps, Wayback Machine, and Shodan
- › Attack JWT tokens: algorithm confusion (none/HS256), weak secret brute force, claim manipulation
- › Test for BOLA/IDOR by accessing other users' objects with different account credentials
- › Test for BFLA by accessing admin endpoints with regular user tokens
- › Exploit mass assignment by adding privileged fields to create/update requests
- › Fuzz API parameters for SQLi, NoSQLi, SSRF, command injection, and path traversal
- › Enumerate GraphQL schema via introspection and field suggestion attacks
- › Execute GraphQL batch queries to bypass rate limiting
- › Apply complete API pentest checklist: recon → auth → authorization → injection → logic
How to use
Install this skill and Claude can audit web APIs for OWASP vulnerabilities — crafting JWT attack payloads, stepping through BOLA/BFLA test procedures, building mass assignment test cases, enumerating GraphQL schema via introspection, and generating pentest reports with structured findings
Why it matters
APIs are the dominant modern attack surface yet are systematically undertested because traditional web security tooling was built for HTML interfaces — BOLA and broken authentication alone account for the majority of critical findings in real-world bug bounties and breach investigations
Example use cases
- › Discovering undocumented API endpoints by extracting paths from JavaScript bundles and comparing against published Swagger docs to find delta endpoints excluded from documentation
- › Testing a target API for JWT algorithm confusion by modifying the alg header from RS256 to HS256 and attempting to sign with the server's public key to forge an admin token
- › Running GraphQL introspection against an endpoint to enumerate all queries and mutations, then testing each mutation for mass assignment by injecting privilege-escalating fields like role and isAdmin
Hacking APIs Skill
Core Model: The API Restaurant Analogy
- Menu = API documentation (what’s available)
- Waiter = API gateway (routes requests)
- Kitchen = backend services
- Food safety inspector = penetration tester
Most APIs assume the client is legitimate. Your job: act as a client but explore what the kitchen does when given unusual orders.
API Types and Protocols
| Type | Format | Key Traits |
|---|---|---|
| REST | JSON/XML | Stateless, resource-based URLs, HTTP verbs |
| GraphQL | JSON | Query language, single endpoint, flexible queries |
| SOAP | XML | Strict schema (WSDL), stateful, enterprise |
| gRPC | Protobuf | Binary, high-performance, HTTP/2 |
| WebSocket | Custom | Persistent connection, bidirectional |
Testing note: each type has different attack surface. REST has many endpoints; GraphQL has one endpoint with introspection; SOAP has WSDL exposure.
API Authentication Methods
| Method | How it Works | Common Weaknesses |
|---|---|---|
| API Key | Token in header/param/URL | Key in URL (logged), no expiry, over-broad scope |
| Basic Auth | Base64(user:pass) in header | Credential stuffing, no token rotation |
| JWT | Signed JSON token | Algorithm confusion (none/HS256/RS256), weak secrets, unvalidated claims |
| OAuth 2.0 | Access + refresh tokens | Open redirect in callback, token leakage, CSRF |
| HMAC | Signed request hash | Replay attacks if no timestamp/nonce |
JWT Attack Patterns
- Algorithm confusion: change
alg: RS256toalg: HS256and sign with public key as HMAC secret - None algorithm: set
alg: none, remove signature — some servers accept it - Weak secret: brute force HMAC secrets with wordlists (jwt-cracker, hashcat)
- Claim manipulation: decode, modify
role,user_id, re-sign with found secret
API Discovery
Passive Discovery Sources
- Swagger/OpenAPI docs:
api.company.com/swagger,api.company.com/openapi.json,api.company.com/v1/docs - JavaScript files: client-side JS often contains API endpoint strings
- Mobile app reverse engineering: APK/IPA decompilation reveals hardcoded endpoints
- Wayback Machine: archived API versions still accessible
- Google dorks:
site:api.company.com,inurl:api "authorization: Bearer" - Shodan:
org:"Company Name" http.title:"API"
Active Discovery
- Forced browsing: try
/api/v1/,/api/v2/,/api/v3/; try/admin,/internal,/debug - Wordlist fuzzing: fuzz endpoint paths using common API path wordlists
- Response code analysis: 401 = exists but unauthorized; 403 = forbidden; 404 = doesn’t exist
GraphQL Discovery
- Standard endpoint:
/graphql,/gql,/api/graphql - Introspection query:
{ __schema { types { name } } }— reveals all types, queries, mutations - Disable introspection in production; test if it’s exposed
Vulnerability Classes
1. Broken Object Level Authorization (BOLA / IDOR)
Most common API vulnerability. Attacker changes object ID in URL/body to access another user’s data.
GET /api/users/1234/profile → your profile
GET /api/users/1235/profile → another user's profile (BOLA if returned)Testing approach:
- Create two accounts; get object IDs for account A
- While authenticated as account B, try to access/modify account A’s objects
- Test all HTTP verbs (GET, PUT, DELETE, PATCH)
2. Broken Function Level Authorization (BFLA)
Accessing admin or privileged API functions with a normal user token.
POST /api/admin/users → should require admin
POST /api/users/admin → alternate path, same functionTesting approach:
- Test admin endpoints with regular user JWT
- Try method switching on regular endpoints (GET works → try DELETE)
- Look for
admin,manage,internalin discovered endpoints
3. Mass Assignment
API accepts extra JSON fields that are mapped directly to database objects, allowing elevation of privilege.
POST /api/users/register
{ "username": "alice", "password": "x", "isAdmin": true }Testing approach:
- Add unexpected fields to registration/update requests
- Use OpenAPI docs to find all model fields; try setting privileged ones
- Try:
role,admin,verified,credits,subscription_type
4. API Injection
| Injection Type | Payload Location | Example Payload |
|---|---|---|
| SQLi | Query parameter, body field | ' OR 1=1-- |
| NoSQLi (MongoDB) | JSON body | {"$gt": ""} or {"$where": "1==1"} |
| Command Injection | Filename, shell parameter | ; id # |
| XSS via API | String fields rendered in app | <script>alert(1)</script> |
| SSRF | URL parameter | http://169.254.169.254/latest/meta-data |
Key target: any API parameter that reaches a database query, shell command, or URL fetch.
5. Rate Limit / Brute Force
- Many APIs don’t enforce rate limiting on authentication endpoints
- Test: automate 100 password attempts; does the API respond with 429?
- Bypass techniques: rotate IPs, use X-Forwarded-For header spoofing, vary User-Agent
API Fuzzing Methodology
- Capture baseline requests with Burp Suite / Postman
- Identify injection points: path params, query params, headers, body fields
- Fuzz types:
- Type confusion: string where int expected, array where string expected
- Length: very long strings (1000+ chars)
- Special chars:
',",<,>,%00,../,{{7*7}} - Null:
null, empty string, 0
- Look for:
- Error messages leaking stack traces / queries
- Different response sizes/times (boolean-based blind)
- 500 errors (application crashes)
GraphQL-Specific Attacks
Introspection Enumeration
{ __schema { queryType { fields { name description args { name } } } } }Batch Query Abuse
GraphQL allows multiple queries in one request — can bypass rate limits:
[{"query": "mutation { login(user:'admin', pass:'pass1') }"},
{"query": "mutation { login(user:'admin', pass:'pass2') }"},
...]Field Suggestion Attack
When introspection is disabled, mistype a field name — GraphQL may suggest correct field names:
Unknown field 'userz' on type 'User'. Did you mean 'users'?API Hacking Checklist
Recon:
- Find all API versions (v1, v2, v3)
- Locate API documentation (Swagger, Postman collections)
- Identify authentication mechanisms
- Map all endpoints and HTTP methods
Authentication:
- Test credential stuffing on login endpoint (rate limit check)
- Test JWT algorithm confusion (none, HS256 with public key)
- Check for hardcoded/default API keys in documentation
- Test token expiration and revocation
Authorization:
- Create two test accounts; test BOLA/IDOR on all object endpoints
- Test admin endpoints with regular user token (BFLA)
- Try mass assignment on create/update endpoints
Injection:
- Fuzz all string parameters for SQL/NoSQL injection
- Test URL parameters for SSRF (
http://169.254.169.254) - Test file-related parameters for path traversal
Business Logic:
- Test negative values, zero values, very large values
- Test race conditions on concurrent requests (inventory, payments)
- Test parameter pollution (duplicate params)