api-security-testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

6 stars

bynetbarros

View on GitHub Installation ↓

Best use case

api-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

Teams using api-security-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/api-security-testing/SKILL.md --create-dirs "https://raw.githubusercontent.com/netbarros/psique/main/.codex/skills/api-security-testing/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/api-security-testing/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How api-security-testing Compares

Feature / Agent	api-security-testing	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# API Security Testing Workflow

## Overview

Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.

## When to Use This Workflow

Use this workflow when:
- Testing REST API security
- Assessing GraphQL endpoints
- Validating API authentication
- Testing API rate limiting
- Bug bounty API testing

## Workflow Phases

### Phase 1: API Discovery

#### Skills to Invoke
- `api-fuzzing-bug-bounty` - API fuzzing
- `scanning-tools` - API scanning

#### Actions
1. Enumerate endpoints
2. Document API methods
3. Identify parameters
4. Map data flows
5. Review documentation

#### Copy-Paste Prompts
```
Use @api-fuzzing-bug-bounty to discover API endpoints
```

### Phase 2: Authentication Testing

#### Skills to Invoke
- `broken-authentication` - Auth testing
- `api-security-best-practices` - API auth

#### Actions
1. Test API key validation
2. Test JWT tokens
3. Test OAuth2 flows
4. Test token expiration
5. Test refresh tokens

#### Copy-Paste Prompts
```
Use @broken-authentication to test API authentication
```

### Phase 3: Authorization Testing

#### Skills to Invoke
- `idor-testing` - IDOR testing

#### Actions
1. Test object-level authorization
2. Test function-level authorization
3. Test role-based access
4. Test privilege escalation
5. Test multi-tenant isolation

#### Copy-Paste Prompts
```
Use @idor-testing to test API authorization
```

### Phase 4: Input Validation

#### Skills to Invoke
- `api-fuzzing-bug-bounty` - API fuzzing
- `sql-injection-testing` - Injection testing

#### Actions
1. Test parameter validation
2. Test SQL injection
3. Test NoSQL injection
4. Test command injection
5. Test XXE injection

#### Copy-Paste Prompts
```
Use @api-fuzzing-bug-bounty to fuzz API parameters
```

### Phase 5: Rate Limiting

#### Skills to Invoke
- `api-security-best-practices` - Rate limiting

#### Actions
1. Test rate limit headers
2. Test brute force protection
3. Test resource exhaustion
4. Test bypass techniques
5. Document limitations

#### Copy-Paste Prompts
```
Use @api-security-best-practices to test rate limiting
```

### Phase 6: GraphQL Testing

#### Skills to Invoke
- `api-fuzzing-bug-bounty` - GraphQL fuzzing

#### Actions
1. Test introspection
2. Test query depth
3. Test query complexity
4. Test batch queries
5. Test field suggestions

#### Copy-Paste Prompts
```
Use @api-fuzzing-bug-bounty to test GraphQL security
```

### Phase 7: Error Handling

#### Skills to Invoke
- `api-security-best-practices` - Error handling

#### Actions
1. Test error messages
2. Check information disclosure
3. Test stack traces
4. Verify logging
5. Document findings

#### Copy-Paste Prompts
```
Use @api-security-best-practices to audit API error handling
```

## API Security Checklist

- [ ] Authentication working
- [ ] Authorization enforced
- [ ] Input validated
- [ ] Rate limiting active
- [ ] Errors sanitized
- [ ] Logging enabled
- [ ] CORS configured
- [ ] HTTPS enforced

## Quality Gates

- [ ] All endpoints tested
- [ ] Vulnerabilities documented
- [ ] Remediation provided
- [ ] Report generated

## Related Workflow Bundles

- `security-audit` - Security auditing
- `web-security-testing` - Web security
- `api-development` - API development

Related Skills

wordpress-penetration-testing

from netbarros/psique

This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vu...

webapp-testing

from netbarros/psique

Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browse...

web3-testing

from netbarros/psique

Test smart contracts comprehensively using Hardhat and Foundry with unit tests, integration tests, and mainnet forking. Use when testing Solidity contracts, setting up blockchain test suites, or va...

web-security-testing

from netbarros/psique

Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.

unit-testing-test-generate

from netbarros/psique

Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.

testing-qa

from netbarros/psique

Comprehensive testing and QA workflow covering unit testing, integration testing, E2E testing, browser automation, and quality assurance.

testing-patterns

from netbarros/psique

Jest testing patterns, factory functions, mocking strategies, and TDD workflow. Use when writing unit tests, creating test factories, or following TDD red-green-refactor cycle.

temporal-python-testing

from netbarros/psique

Test Temporal workflows with pytest, time-skipping, and mocking strategies. Covers unit testing, integration testing, replay testing, and local development setup. Use when implementing Temporal wor...

ssh-penetration-testing

from netbarros/psique

This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tu...

sqlmap-database-pentesting

from netbarros/psique

This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns...

sql-injection-testing

from netbarros/psique

This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database inform...

smtp-penetration-testing

from netbarros/psique

This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email cre...