api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Best use case
api-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Teams using api-security-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-security-testing Compares
| Feature / Agent | api-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Security Testing Workflow ## Overview Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities. ## When to Use This Workflow Use this workflow when: - Testing REST API security - Assessing GraphQL endpoints - Validating API authentication - Testing API rate limiting - Bug bounty API testing ## Workflow Phases ### Phase 1: API Discovery #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `scanning-tools` - API scanning #### Actions 1. Enumerate endpoints 2. Document API methods 3. Identify parameters 4. Map data flows 5. Review documentation #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to discover API endpoints ``` ### Phase 2: Authentication Testing #### Skills to Invoke - `broken-authentication` - Auth testing - `api-security-best-practices` - API auth #### Actions 1. Test API key validation 2. Test JWT tokens 3. Test OAuth2 flows 4. Test token expiration 5. Test refresh tokens #### Copy-Paste Prompts ``` Use @broken-authentication to test API authentication ``` ### Phase 3: Authorization Testing #### Skills to Invoke - `idor-testing` - IDOR testing #### Actions 1. Test object-level authorization 2. Test function-level authorization 3. Test role-based access 4. Test privilege escalation 5. Test multi-tenant isolation #### Copy-Paste Prompts ``` Use @idor-testing to test API authorization ``` ### Phase 4: Input Validation #### Skills to Invoke - `api-fuzzing-bug-bounty` - API fuzzing - `sql-injection-testing` - Injection testing #### Actions 1. Test parameter validation 2. Test SQL injection 3. Test NoSQL injection 4. Test command injection 5. Test XXE injection #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to fuzz API parameters ``` ### Phase 5: Rate Limiting #### Skills to Invoke - `api-security-best-practices` - Rate limiting #### Actions 1. Test rate limit headers 2. Test brute force protection 3. Test resource exhaustion 4. Test bypass techniques 5. Document limitations #### Copy-Paste Prompts ``` Use @api-security-best-practices to test rate limiting ``` ### Phase 6: GraphQL Testing #### Skills to Invoke - `api-fuzzing-bug-bounty` - GraphQL fuzzing #### Actions 1. Test introspection 2. Test query depth 3. Test query complexity 4. Test batch queries 5. Test field suggestions #### Copy-Paste Prompts ``` Use @api-fuzzing-bug-bounty to test GraphQL security ``` ### Phase 7: Error Handling #### Skills to Invoke - `api-security-best-practices` - Error handling #### Actions 1. Test error messages 2. Check information disclosure 3. Test stack traces 4. Verify logging 5. Document findings #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit API error handling ``` ## API Security Checklist - [ ] Authentication working - [ ] Authorization enforced - [ ] Input validated - [ ] Rate limiting active - [ ] Errors sanitized - [ ] Logging enabled - [ ] CORS configured - [ ] HTTPS enforced ## Quality Gates - [ ] All endpoints tested - [ ] Vulnerabilities documented - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `web-security-testing` - Web security - `api-development` - API development ## Limitations - Use this skill only when the task clearly matches the scope described above. - Do not treat the output as a substitute for environment-specific validation, testing, or expert review. - Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Related Skills
wordpress-penetration-testing
Assess WordPress installations for common vulnerabilities and WordPress 7.0 attack surfaces.
webapp-testing
To test local web applications, write native Python Playwright scripts.
web3-testing
Master comprehensive testing strategies for smart contracts using Hardhat, Foundry, and advanced testing patterns.
web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
testing-qa
Comprehensive testing and QA workflow covering unit testing, integration testing, E2E testing, browser automation, and quality assurance.
testing-patterns
Jest testing patterns, factory functions, mocking strategies, and TDD workflow. Use when writing unit tests, creating test factories, or following TDD red-green-refactor cycle.
temporal-python-testing
Comprehensive testing approaches for Temporal workflows using pytest, progressive disclosure resources for specific testing scenarios.
ssh-penetration-testing
Conduct comprehensive SSH security assessments including enumeration, credential attacks, vulnerability exploitation, tunneling techniques, and post-exploitation activities. This skill covers the complete methodology for testing SSH service security.
sqlmap-database-pentesting
Provide systematic methodologies for automated SQL injection detection and exploitation using SQLMap.
sql-injection-testing
Execute comprehensive SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization mechanisms.
solidity-security
Master smart contract security best practices, vulnerability prevention, and secure Solidity development patterns.