API Security Testing

Overview

Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.

When to Use This Workflow

Use this workflow when:

• -Testing REST API security
• -Assessing GraphQL endpoints
• -Validating API authentication
• -Testing API rate limiting
• -Bug bounty API testing

Workflow Phases

Phase 1: API Discovery

#### Skills to Invoke

• -api-fuzzing-bug-bounty - API fuzzing
• -scanning-tools - API scanning

#### Actions

1. Enumerate endpoints

2. Document API methods

3. Identify parameters

4. Map data flows

5. Review documentation

#### Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to discover API endpoints

Phase 2: Authentication Testing

#### Skills to Invoke

• -broken-authentication - Auth testing
• -api-security-best-practices - API auth

#### Actions

1. Test API key validation

2. Test JWT tokens

3. Test OAuth2 flows

4. Test token expiration

5. Test refresh tokens

#### Copy-Paste Prompts

Use @broken-authentication to test API authentication

Phase 3: Authorization Testing

#### Skills to Invoke

• -idor-testing - IDOR testing

#### Actions

1. Test object-level authorization

2. Test function-level authorization

3. Test role-based access

4. Test privilege escalation

5. Test multi-tenant isolation

#### Copy-Paste Prompts

Use @idor-testing to test API authorization

Phase 4: Input Validation

#### Skills to Invoke

• -api-fuzzing-bug-bounty - API fuzzing
• -sql-injection-testing - Injection testing

#### Actions

1. Test parameter validation

2. Test SQL injection

3. Test NoSQL injection

4. Test command injection

5. Test XXE injection

#### Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to fuzz API parameters

Phase 5: Rate Limiting

#### Skills to Invoke

• -api-security-best-practices - Rate limiting

#### Actions

1. Test rate limit headers

2. Test brute force protection

3. Test resource exhaustion

4. Test bypass techniques

5. Document limitations

#### Copy-Paste Prompts

Use @api-security-best-practices to test rate limiting

Phase 6: GraphQL Testing

#### Skills to Invoke

• -api-fuzzing-bug-bounty - GraphQL fuzzing

#### Actions

1. Test introspection

2. Test query depth

3. Test query complexity

4. Test batch queries

5. Test field suggestions

#### Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to test GraphQL security

Phase 7: Error Handling

#### Skills to Invoke

• -api-security-best-practices - Error handling

#### Actions

1. Test error messages

2. Check information disclosure

3. Test stack traces

4. Verify logging

5. Document findings

#### Copy-Paste Prompts

Use @api-security-best-practices to audit API error handling

API Security Checklist

• -[ ] Authentication working
• -[ ] Authorization enforced
• -[ ] Input validated
• -[ ] Rate limiting active
• -[ ] Errors sanitized
• -[ ] Logging enabled
• -[ ] CORS configured
• -[ ] HTTPS enforced

Quality Gates

• -[ ] All endpoints tested
• -[ ] Vulnerabilities documented
• -[ ] Remediation provided
• -[ ] Report generated

Related Workflow Bundles

• -security-audit - Security auditing
• -web-security-testing - Web security
• -api-development - API development