SKILL

API Security Testing

API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.

Published by @sickn33 and contributors·0 agent reads / 30d·0 saves·

API Security Testing Workflow

Overview

Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.

When to Use This Workflow

Use this workflow when:

  • Testing REST API security
  • Assessing GraphQL endpoints
  • Validating API authentication
  • Testing API rate limiting
  • Bug bounty API testing

Workflow Phases

Phase 1: API Discovery

Skills to Invoke
  • api-fuzzing-bug-bounty - API fuzzing
  • scanning-tools - API scanning
Actions
  1. Enumerate endpoints
  2. Document API methods
  3. Identify parameters
  4. Map data flows
  5. Review documentation
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to discover API endpoints

Phase 2: Authentication Testing

Skills to Invoke
  • broken-authentication - Auth testing
  • api-security-best-practices - API auth
Actions
  1. Test API key validation
  2. Test JWT tokens
  3. Test OAuth2 flows
  4. Test token expiration
  5. Test refresh tokens
Copy-Paste Prompts
Use @broken-authentication to test API authentication

Phase 3: Authorization Testing

Skills to Invoke
  • idor-testing - IDOR testing
Actions
  1. Test object-level authorization
  2. Test function-level authorization
  3. Test role-based access
  4. Test privilege escalation
  5. Test multi-tenant isolation
Copy-Paste Prompts
Use @idor-testing to test API authorization

Phase 4: Input Validation

Skills to Invoke
  • api-fuzzing-bug-bounty - API fuzzing
  • sql-injection-testing - Injection testing
Actions
  1. Test parameter validation
  2. Test SQL injection
  3. Test NoSQL injection
  4. Test command injection
  5. Test XXE injection
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to fuzz API parameters

Phase 5: Rate Limiting

Skills to Invoke
  • api-security-best-practices - Rate limiting
Actions
  1. Test rate limit headers
  2. Test brute force protection
  3. Test resource exhaustion
  4. Test bypass techniques
  5. Document limitations
Copy-Paste Prompts
Use @api-security-best-practices to test rate limiting

Phase 6: GraphQL Testing

Skills to Invoke
  • api-fuzzing-bug-bounty - GraphQL fuzzing
Actions
  1. Test introspection
  2. Test query depth
  3. Test query complexity
  4. Test batch queries
  5. Test field suggestions
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to test GraphQL security

Phase 7: Error Handling

Skills to Invoke
  • api-security-best-practices - Error handling
Actions
  1. Test error messages
  2. Check information disclosure
  3. Test stack traces
  4. Verify logging
  5. Document findings
Copy-Paste Prompts
Use @api-security-best-practices to audit API error handling

API Security Checklist

  • Authentication working
  • Authorization enforced
  • Input validated
  • Rate limiting active
  • Errors sanitized
  • Logging enabled
  • CORS configured
  • HTTPS enforced

Quality Gates

  • All endpoints tested
  • Vulnerabilities documented
  • Remediation provided
  • Report generated

Related Workflow Bundles

  • security-audit - Security auditing
  • web-security-testing - Web security
  • api-development - API development

Limitations

  • Use this skill only when the task clearly matches the scope described above.
  • Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
  • Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.

Bundled with this artifact

2 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

SKILL0

Zustand Store Ts

Create Zustand stores following established patterns with proper TypeScript types and middleware.

sickn33 and contributors
ai-prompt-engineering+3
0
SKILL0

Zoom Automation

Automate Zoom meeting creation, management, recordings, webinars, and participant tracking via Rube MCP (Composio). Always search tools first for current schemas.

sickn33 and contributors
ai-prompt-engineering+3
0
SKILL0

Zoho Crm Automation

Automate Zoho CRM tasks via Rube MCP (Composio): create/update records, search contacts, manage leads, and convert leads. Always search tools first for current schemas.

sickn33 and contributors
ai-prompt-engineering+3
0