API Pentest
Test REST, GraphQL, gRPC, and WebSocket APIs for BOLA, JWT attacks, mass assignment, injection, and broken authentication.
Prerequisites
- API base URL (e.g. https://api.target.com)
- Authorization token (Bearer, API key, or OAuth client credentials)
- OpenAPI / Swagger spec file (.json or .yaml) - highly recommended
- GraphQL endpoint URL if applicable
- At least one valid authenticated user account
- Second user account for BOLA/IDOR testing (different role/tenant)
-
1
Select API Pentest from Home Screen
Click π API Pentest. The wizard opens pre-configured for API testing with API-specific questions.
-
2
Answer API-Specific Wizard Questions
API Base URL : https://api.target.com/v1 Auth Type : Bearer JWT / API Key / OAuth2 / Basic / None OpenAPI Spec : Upload spec file or enter Swagger URL GraphQL : Yes β enter endpoint URL Rate Limiting : Observed? Yes/No (affects fuzzing speed) User Accounts : User A (standard) + User B (different tenant/role) Business Context : e.g. "multi-tenant SaaS, users have orgs and projects" -
3
Claude Runs the API Test Suite
Claude orchestrates the full API test pipeline automatically:
Phase 1: Route discovery - kiterunner brute-force (if no spec) Phase 2: Auth analysis : JWT decode, algorithm confusion, key strength Phase 3: BOLA testing - swap User A object IDs with User B token Phase 4: Mass assignment - extra fields in POST/PUT/PATCH bodies Phase 5: Injection : SQL/NoSQL/SSTI in all parameters Phase 6: Rate limits - threshold testing per endpoint Phase 7: GraphQL - introspection, batch attacks, field suggestions Phase 8: Business logic : AI-driven logic flaw discovery -
4
Review Findings and Generate API Security Report
All confirmed findings include: endpoint, HTTP method, request/response PoC, CVSS score, and remediation. Generate the Technical Report for full API security coverage.
What Claude Tests (API / GraphQL / gRPC / WebSocket)
Coverage spans OWASP API Security Top 10 (2023) as the baseline plus additional API-specific attack classes. 18+ scanner modules including the BOLA harness, GraphQL introspection chain, JWT attack engine, and the cross-scanner correlator.
OWASP API Top 10 (2023) baseline- API1 Broken Object Level Authorization (BOLA) β sequential ID enumeration, UUID prediction, multi-tenant cross-tenant access, GraphQL node ID abuse
- API2 Broken Authentication β token forgery, JWT alg confusion, refresh-token replay, missing token rotation, weak OAuth flows
- API3 Broken Object Property Level Authorization (BOPLA / mass assignment) β hidden field discovery, role escalation via PATCH, GraphQL field-level authz
- API4 Unrestricted Resource Consumption β rate-limit bypass, large payload DoS, GraphQL query depth/complexity DoS, alias-based amplification, batched query abuse
- API5 Broken Function Level Authorization (BFLA) β admin endpoint enumeration, HTTP method tampering (GETβPUT/DELETE), role downgrade
- API6 Unrestricted Access to Sensitive Business Flows β workflow abuse, double-spend, rapid-fire booking, scalping resistance
- API7 SSRF via APIs β webhook callback abuse, redirect chain exploitation, cloud metadata IMDS access, blind SSRF via callbacks
- API8 Security Misconfiguration β verbose errors, debug endpoints, default API keys, CORS misconfig, missing security headers, exposed Swagger
- API9 Improper Inventory Management β shadow APIs, deprecated v1 endpoints still live, undocumented admin routes, dev/staging APIs in production DNS
- API10 Unsafe Consumption of APIs β vulnerable upstream APIs, unvalidated 3rd-party responses, SSRF chains via API-to-API calls
- GraphQL β introspection enumeration, batch query abuse, alias-based DoS, field suggestion enumeration, depth attacks, deep recursion, nested-fragment amplification, mutation chaining, subscription abuse
- gRPC β protobuf field tampering, reflection enumeration, server streaming flood, deadline manipulation, metadata injection, TLS downgrade
- WebSocket β Cross-Site WebSocket Hijacking (CSWSH), origin bypass, unauthenticated upgrade, message tampering, ping/pong flood, frame masking violations
- REST conventions β verb tampering, content-type confusion, JSON/XML mismatch, parameter pollution, wildcard parameters, ID-type confusion (string vs int)
- Auth Schemes β Bearer/JWT/HMAC/OAuth2/OIDC/SAML/API key β full attack matrix per scheme (alg=none, kid traversal, key confusion, signature stripping, audience confusion, PKCE downgrade, token leak via Referer/logs)
- Rate-limit bypass β IP rotation, header injection (X-Forwarded-For/X-Real-IP/X-Originating-IP), distributed-burst, race-window exploitation, token-pool drain
- Input fuzzing β type confusion (stringβarray, intβobject), prototype pollution via JSON, NoSQL injection, command injection in eval/exec endpoints
- Schema validation gaps β extra fields accepted, missing-field bypass, type coercion, unicode normalization, length-limit bypass
- Cache & ETag attacks β cache poisoning via API headers, ETag fingerprinting, conditional-request smuggling
Want the complete enumeration? See the Coverage Matrix for the full per-surface vuln-class list with scanner module names (264 modules across 30+ surface domains).
Common Issues
The API may require authentication headers for route discovery. Add -H "Authorization: Bearer $TOKEN". Also try different wordlists: -w assetnote-api-routes.kite. If the API uses versioning, try the base path with --base-path /api/v1/.
The authorization check may only apply to direct ID access. Try: object references in nested resources (/users/me/documents/123), parameter pollution (?user_id=victim_id), HTTP method switching (GET vs POST), and indirect reference maps (look for GUIDs that map to sequential IDs).
Use field suggestion attacks: send queries with typos to trigger "did you mean X?" suggestions that leak schema. Use Clairvoyance tool for blind schema extraction. Check if introspection works in development mode (different endpoint or header).
264 modules Β· 30+ surfaces Β· 14 vuln families Β· 120+ classes
The sections above describe what this surface tests. For the complete enumeration of every vulnerability class PhantomYerra covers across all surfaces β with scanner module names β see the Coverage Matrix.
View Full Coverage Matrix →