api-fuzzing-bug-bountylisted

> ⚠️ **AUTHORIZED USE ONLY** — This skill is intended for authorized security professionals only. Use only against systems you own or have explicit written permission to test. Unauthorized use may violate applicable laws. # API Fuzzing for Bug Bounty ## Purpose Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. ## Inputs/Prerequisites - Burp Suite or similar proxy tool - API wordlists (SecLists, api_wordlist) - Understanding of REST/GraphQL/SOAP protocols - Python for scripting - Target API endpoints and documentation (if available) ## Outputs/Deliverables - Identified API vulnerabilities - IDOR exploitation proofs - Authentication bypass techniques - SQL injection points - Unauthorized data access documentation --- ## API Types Overview | Type | Protocol | Data Format | Structure | |------|----------|-------------|-----------| | SOAP | HTTP | XML | Header + Body | | REST | HTTP | JSON/XML/URL | Defined endpoints | | GraphQL | HTTP | Custom Query | Single endpoint | --- ## Core Workflow ### Step 1: API Reconnaissance Identify API type and enumerate endpoints: ```bash # Check for Swagger/OpenAPI documentation /swagger.json /openapi.json /api-docs /v1/api-docs /swagger-ui.html # Use Kiterunner for API discovery kr scan https://target.com -w routes-large.kite # Extract pa