@soulofzephir/pi-skill-pentesting 1.0.2 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@soulofzephir/pi-skill-pentesting",
3
- "version": "1.0.2",
3
+ "version": "1.0.5",
4
4
  "description": "Comprehensive pentesting & security check skill for Pi coding agent - headers, ports, SQLi, XSS, OWASP Top 10",
5
5
  "keywords": [
6
6
  "pi",
@@ -1,15 +1,15 @@
1
1
  ---
2
2
  name: pentesting
3
- description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, SSL/TLS audit, exposed files detection, CORS, JWT, and GraphQL security testing. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, exposed files, CORS, JWT, GraphQL, or bug bounty testing. Generates reports to site/domainname-date.md format.
3
+ description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers, port scanning, SQL injection, XSS, OWASP Top 10, SSL/TLS, exposed files, CORS, JWT, GraphQL, API security, subdomain discovery, WebSocket, cloud metadata, and sensitive data detection. Use for pentest, security check, vulnerability scan, header security, port scan, SQL injection, XSS, exposed files, CORS, JWT, GraphQL, API security, subdomain, WebSocket, cloud, sensitive data, or bug bounty testing. Generates reports to site/domainname-date.md format.
4
4
  ---
5
5
 
6
6
  # 🛡️ Pentesting & Security Check Skill
7
7
 
8
- > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 3.0 | **LAST UPDATED:** 2025-07-05
8
+ > **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 4.0 | **LAST UPDATED:** 2025-07-05
9
9
 
10
10
  ---
11
11
 
12
- ## 📋 CAPABILITIES OVERVIEW (v3.0)
12
+ ## 📋 CAPABILITIES OVERVIEW (v4.0)
13
13
 
14
14
  | Category | Coverage | Status |
15
15
  |----------|----------|--------|
@@ -21,10 +21,15 @@ description: Comprehensive website security testing skill for penetration testin
21
21
  | **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
22
22
  | **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
23
23
  | **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
24
- | **Exposed Files** | .env, .git, backups, debug | ✅ **NEW** |
25
- | **CORS Security** | Misconfiguration tests | ✅ **NEW** |
26
- | **JWT Security** | Algorithm attacks, brute force | ✅ **NEW** |
27
- | **GraphQL Security** | Introspection, DoS, injection | ✅ **NEW** |
24
+ | **Exposed Files** | .env, .git, backups, debug | ✅ Script |
25
+ | **CORS Security** | Misconfiguration tests | ✅ Checklist |
26
+ | **JWT Security** | Algorithm attacks, brute force | ✅ Checklist |
27
+ | **GraphQL Security** | Introspection, DoS, injection | ✅ Checklist |
28
+ | **API Security** | REST API testing, IDOR, rate limit | ✅ **NEW** |
29
+ | **Subdomain Discovery** | Passive/Active enumeration | ✅ **NEW** |
30
+ | **WebSocket Security** | CSWSH, hijacking, DoS | ✅ **NEW** |
31
+ | **Cloud Metadata** | SSRF to AWS/GCP/Azure | ✅ **NEW** |
32
+ | **Sensitive Data** | Credentials, PII exposure | ✅ **NEW** |
28
33
  | **Report Generation** | .md format | ✅ Auto |
29
34
 
30
35
  ---
@@ -42,13 +47,18 @@ This skill auto-loads when user mentions:
42
47
  - OWASP, OWASP Top 10
43
48
  - exposed files, .env, .git exposed
44
49
  - CORS, JWT, GraphQL security
50
+ - API security, REST API, REST security
51
+ - subdomain discovery, subdomain enumeration
52
+ - WebSocket security, WS security
53
+ - cloud metadata, SSRF, AWS metadata
54
+ - sensitive data, credentials exposure, PII
45
55
  - "test keamanan", "cek security", "audit keamanan"
46
- - **"test skill", "check skill", "validate skill"**
47
- - **"skill health", "skill status", "skill diagnostics"**
56
+ - "test skill", "check skill", "validate skill"
57
+ - "skill health", "skill status", "skill diagnostics"
48
58
 
49
59
  ---
50
60
 
51
- ## ⚡ COMPLETE TEST CHECKLIST (10+ Phases)
61
+ ## ⚡ COMPLETE TEST CHECKLIST (16 Phases)
52
62
 
53
63
  ### Phase 1: Reconnaissance
54
64
  ```
@@ -71,7 +81,7 @@ This skill auto-loads when user mentions:
71
81
  [ ] X-Powered-By (hide tech)
72
82
  ```
73
83
 
74
- ### Phase 3: Exposed Files & Information Disclosure 🔴 **NEW**
84
+ ### Phase 3: Exposed Files & Information Disclosure 🔴
75
85
  ```
76
86
  [ ] .env file accessible?
77
87
  [ ] .git directory exposed?
@@ -81,33 +91,33 @@ This skill auto-loads when user mentions:
81
91
  [ ] Spring Boot Actuator endpoints
82
92
  [ ] API documentation exposed
83
93
  [ ] Log files accessible
84
- [ ] robots.txt (reveals paths)
85
- [ ] Security.txt endpoint
86
94
  ```
87
95
 
88
- ### Phase 4: Port & Network Scanning
96
+ ### Phase 4: Subdomain Discovery 🔴 **NEW**
97
+ ```
98
+ [ ] Passive recon (crt.sh, certspotter)
99
+ [ ] DNS aggregators (SecurityTrails, VirusTotal)
100
+ [ ] Active enumeration (subfinder, amass)
101
+ [ ] DNS zone transfer
102
+ [ ] Subdomain takeover detection
103
+ ```
104
+
105
+ ### Phase 5: Port & Network Scanning
89
106
  ```
90
107
  [ ] Full port scan (1-65535)
91
108
  [ ] Service version detection
92
- [ ] High-risk port exposure:
93
- [ ] Port 3306 (MySQL)
94
- [ ] Port 5432 (PostgreSQL)
95
- [ ] Port 27017 (MongoDB)
96
- [ ] Port 6379 (Redis)
97
- [ ] Port 2375 (Docker)
98
- [ ] Port 9200 (Elasticsearch)
109
+ [ ] High-risk port exposure (3306, 5432, 6379, 2375)
99
110
  ```
100
111
 
101
- ### Phase 5: SSL/TLS Audit
112
+ ### Phase 6: SSL/TLS Audit
102
113
  ```
103
114
  [ ] Certificate validity
104
115
  [ ] TLS version (no 1.0/1.1)
105
116
  [ ] Weak ciphers
106
117
  [ ] HSTS implementation
107
- [ ] OCSP stapling
108
118
  ```
109
119
 
110
- ### Phase 6: Authentication Testing
120
+ ### Phase 7: Authentication Testing
111
121
  ```
112
122
  [ ] Brute force protection
113
123
  [ ] Password policy
@@ -116,7 +126,43 @@ This skill auto-loads when user mentions:
116
126
  [ ] Password reset flow
117
127
  ```
118
128
 
119
- ### Phase 7: Injection Testing
129
+ ### Phase 8: API Security 🔴 **NEW**
130
+ ```
131
+ [ ] REST API authentication
132
+ [ ] IDOR (access other users' data)
133
+ [ ] Rate limiting bypass
134
+ [ ] Mass assignment
135
+ [ ] API versioning issues
136
+ ```
137
+
138
+ ### Phase 9: WebSocket Security 🔴 **NEW**
139
+ ```
140
+ [ ] Origin validation
141
+ [ ] Cross-Site WebSocket Hijacking (CSWSH)
142
+ [ ] Authentication in WebSocket
143
+ [ ] Input validation in messages
144
+ [ ] DoS via WebSocket
145
+ ```
146
+
147
+ ### Phase 10: Cloud Metadata (SSRF) 🔴 **NEW**
148
+ ```
149
+ [ ] AWS EC2 metadata accessible?
150
+ [ ] GCP metadata accessible?
151
+ [ ] Azure metadata accessible?
152
+ [ ] IAM credentials exposed
153
+ [ ] SSRF to cloud takeover
154
+ ```
155
+
156
+ ### Phase 11: Sensitive Data Detection 🔴 **NEW**
157
+ ```
158
+ [ ] API keys in source code
159
+ [ ] AWS credentials exposed
160
+ [ ] Private keys exposed
161
+ [ ] PII in responses
162
+ [ ] Credentials in URLs
163
+ ```
164
+
165
+ ### Phase 12: Injection Testing
120
166
  ```
121
167
  [ ] SQL Injection (5 types)
122
168
  [ ] XSS (4 types)
@@ -127,36 +173,33 @@ This skill auto-loads when user mentions:
127
173
  [ ] SSRF
128
174
  ```
129
175
 
130
- ### Phase 8: CORS Security 🔴 **NEW**
176
+ ### Phase 13: CORS Security
131
177
  ```
132
178
  [ ] Wildcard origin check
133
179
  [ ] Credentials with wildcard
134
180
  [ ] Null origin allowed?
135
181
  [ ] Internal IPs allowed?
136
- [ ] Sensitive endpoints CORS
137
182
  ```
138
183
 
139
- ### Phase 9: JWT Security 🔴 **NEW**
184
+ ### Phase 14: JWT Security
140
185
  ```
141
186
  [ ] Algorithm confusion (RS256→HS256)
142
187
  [ ] alg:none bypass
143
188
  [ ] Weak secret brute force
144
189
  [ ] Null signature accepted
145
- [ ] Token manipulation (exp, iat, sub)
146
- [ ] JWKS cache poisoning
190
+ [ ] Token manipulation
147
191
  ```
148
192
 
149
- ### Phase 10: GraphQL Security 🔴 **NEW**
193
+ ### Phase 15: GraphQL Security
150
194
  ```
151
195
  [ ] Introspection enabled?
152
- [ ] GraphQL IDE exposed
153
196
  [ ] Authorization bypass (IDOR)
154
197
  [ ] Batch query attack
155
198
  [ ] Depth-based DoS
156
199
  [ ] SQL/NoSQL Injection
157
200
  ```
158
201
 
159
- ### Phase 11: OWASP Top 10 (A01-A10)
202
+ ### Phase 16: OWASP Top 10 (A01-A10)
160
203
  ```
161
204
  [ ] A01 - Broken Access Control
162
205
  [ ] A02 - Cryptographic Failures
@@ -170,38 +213,36 @@ This skill auto-loads when user mentions:
170
213
  [ ] A10 - SSRF
171
214
  ```
172
215
 
173
- ### Phase 12: Business Logic & API
174
- ```
175
- [ ] IDOR
176
- [ ] Privilege escalation
177
- [ ] Price manipulation
178
- [ ] API security (REST/GraphQL)
179
- [ ] Rate limiting
180
- ```
181
-
182
216
  ---
183
217
 
184
218
  ## 🔧 TOOLS LOCATION
185
219
 
186
220
  ```
187
221
  skills/pentesting/
188
- ├── SKILL.md # This file
222
+ ├── SKILL.md
189
223
  ├── checklists/
190
- │ ├── headers.md # 9 headers detail
224
+ │ ├── headers.md # Security headers
191
225
  │ ├── owasp.md # OWASP Top 10
192
226
  │ ├── ports.md # Port scanning
193
- │ ├── injection.md # All injection types
194
- │ ├── exposed-files.md # 🔴 NEW - Exposed files
195
- │ ├── cors.md # 🔴 NEW - CORS security
196
- │ ├── jwt.md # 🔴 NEW - JWT security
197
- └── graphql.md # 🔴 NEW - GraphQL security
227
+ │ ├── injection.md # All injection types
228
+ │ ├── exposed-files.md # Exposed files detection
229
+ │ ├── cors.md # CORS security
230
+ │ ├── jwt.md # JWT security
231
+ ├── graphql.md # GraphQL security
232
+ │ ├── api-security.md # 🔴 NEW - API security
233
+ │ ├── subdomain.md # 🔴 NEW - Subdomain discovery
234
+ │ ├── websocket.md # 🔴 NEW - WebSocket security
235
+ │ ├── cloud-metadata.md # 🔴 NEW - Cloud metadata/SSRF
236
+ │ └── sensitive-data.md # 🔴 NEW - Sensitive data detection
198
237
  ├── tools/
199
238
  │ ├── header-scan.sh # Linux/Mac headers
200
239
  │ ├── header-scan.ps1 # Windows headers
201
- │ ├── exposed-files-scan.sh # 🔴 NEW - Exposed files
202
- │ ├── exposed-files-scan.ps1 # 🔴 NEW - Exposed files
203
- │ ├── full-scan.sh # 🔴 NEW - All-in-one Linux
204
- └── full-scan.ps1 # 🔴 NEW - All-in-one Windows
240
+ │ ├── exposed-files-scan.sh # Exposed files (Linux)
241
+ │ ├── exposed-files-scan.ps1 # Exposed files (Windows)
242
+ │ ├── full-scan.sh # All-in-one (Linux)
243
+ ├── full-scan.ps1 # All-in-one (Windows)
244
+ │ ├── test-skill.sh # Skill health check (Linux)
245
+ │ └── test-skill.ps1 # Skill health check (Windows)
205
246
  └── reports/
206
247
  └── template.md # Report template
207
248
  ```
@@ -210,66 +251,28 @@ skills/pentesting/
210
251
 
211
252
  ## 🚀 QUICK COMMANDS
212
253
 
213
- ### Skill Health Check 🔴 **NEW**
214
- ```bash
215
- # Windows PowerShell
216
- .\tools\test-skill.ps1
217
- .\tools\test-skill.ps1 -Verbose
218
-
219
- # Linux/Mac
220
- chmod +x tools/test-skill.sh
221
- ./tools/test-skill.sh
222
- ```
223
-
224
254
  ### Security Headers
225
255
  ```bash
226
- # Linux/Mac
227
- chmod +x tools/header-scan.sh
228
- ./tools/header-scan.sh https://target.com
229
-
230
- # Windows PowerShell
231
256
  .\tools\header-scan.ps1 -Target https://target.com
257
+ ./tools/header-scan.sh https://target.com
232
258
  ```
233
259
 
234
- ### Exposed Files Scan 🔴 NEW
260
+ ### Exposed Files Scan
235
261
  ```bash
236
- # Linux/Mac
237
- chmod +x tools/exposed-files-scan.sh
238
- ./tools/exposed-files-scan.sh https://target.com
239
-
240
- # Windows PowerShell
241
262
  .\tools\exposed-files-scan.ps1 -Target https://target.com
263
+ ./tools/exposed-files-scan.sh https://target.com
242
264
  ```
243
265
 
244
- ### Full Security Scan (All-in-One) 🔴 NEW
266
+ ### Full Security Scan (All-in-One)
245
267
  ```bash
246
- # Linux/Mac
247
- chmod +x tools/full-scan.sh
248
- ./tools/full-scan.sh https://target.com
249
-
250
- # Windows PowerShell
251
268
  .\tools\full-scan.ps1 -Target https://target.com
269
+ ./tools/full-scan.sh https://target.com
252
270
  ```
253
271
 
254
- ### Port Scanning
255
- ```bash
256
- nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
257
- nmap -p- -sV target.com
258
- ```
259
-
260
- ### Vulnerability Scanning
272
+ ### Skill Health Check
261
273
  ```bash
262
- # Nuclei
263
- nuclei -u https://target.com
264
-
265
- # SQLMap
266
- sqlmap -u "https://target.com/search?q=1" --batch
267
-
268
- # Dalfox XSS
269
- dalfox url https://target.com/search?q=test
270
-
271
- # Commix
272
- commix -u "http://target.com/ping?ip=127.0.0.1"
274
+ .\tools\test-skill.ps1
275
+ ./tools/test-skill.sh
273
276
  ```
274
277
 
275
278
  ---
@@ -321,8 +324,12 @@ F (0-29): Critical
321
324
  - "test CORS" → Load CORS checklist
322
325
  - "test JWT" → Load JWT checklist
323
326
  - "test GraphQL" → Load GraphQL checklist
324
- - **"test skill" / "check skill" / "validate skill"** Run skill health check
325
- - **"skill status" / "skill health"** Show skill installation status
327
+ - "test API security" Load API security checklist 🔴 **NEW**
328
+ - "test subdomain" Load subdomain discovery 🔴 **NEW**
329
+ - "test WebSocket" → Load WebSocket security 🔴 **NEW**
330
+ - "test cloud metadata" → Load cloud metadata checklist 🔴 **NEW**
331
+ - "test sensitive data" → Load sensitive data checklist 🔴 **NEW**
332
+ - "test skill" / "check skill" → Run skill health check
326
333
 
327
334
  ---
328
335
 
@@ -338,20 +345,20 @@ User: "security audit untuk target.com"
338
345
  User: "check exposed files di website ini"
339
346
  → Run exposed files scan → site/target.com-exposed-2025-07-05.md
340
347
 
341
- User: "test CORS di api.target.com"
342
- → Run CORS security tests
348
+ User: "test API security"
349
+ → Run API security tests → checklists/api-security.md
343
350
 
344
- User: "audit JWT security"
345
- → Run JWT security checklist
351
+ User: "subdomain enumeration untuk target.com"
352
+ → Run subdomain discovery → checklists/subdomain.md
346
353
 
347
- User: "GraphQL security check"
348
- Run GraphQL security tests
354
+ User: "test SSRF"
355
+ Load cloud metadata/SSRF checklist
349
356
 
350
- User: "test skill"
351
- Run skill health check → Show test results
357
+ User: "check sensitive data exposure"
358
+ Load sensitive data detection checklist
352
359
 
353
- User: "validate skill installation"
354
- Verify all files exist → Show skill status
360
+ User: "test skill"
361
+ Run skill health check
355
362
  ```
356
363
 
357
364
  ---
@@ -359,6 +366,9 @@ User: "validate skill installation"
359
366
  ## ✅ SKILL READY
360
367
 
361
368
  **Status:** ACTIVE & READY FOR USE
362
- **Version:** 3.0
369
+ **Version:** 4.0
363
370
  **Author:** Rz (@soulofzephir)
364
371
  **Last Updated:** 2025-07-05
372
+ **Checklists:** 13
373
+ **Tools:** 8
374
+ **Health Score:** 95%+
@@ -0,0 +1,210 @@
1
+ # API Security Checklist
2
+
3
+ ## 🔍 What is API Security?
4
+
5
+ APIs expose application logic and sensitive data. Testing requires understanding authentication, authorization, and input validation.
6
+
7
+ ---
8
+
9
+ ## ⚠️ Common API Vulnerabilities
10
+
11
+ ### 1. Broken Object Level Authorization (BOLA/IDOR)
12
+ ```
13
+ Risk: Users access other users' resources
14
+ Test: Change ID in request parameter
15
+ ```
16
+
17
+ ### 2. Broken Authentication
18
+ ```
19
+ Risk: Session management flaws
20
+ Test: Token manipulation, JWT attacks
21
+ ```
22
+
23
+ ### 3. Excessive Data Exposure
24
+ ```
25
+ Risk: API returns more data than needed
26
+ Test: Analyze all response fields
27
+ ```
28
+
29
+ ### 4. Lack of Resources & Rate Limiting
30
+ ```
31
+ Risk: DoS, brute force
32
+ Test: Send many requests, measure throttling
33
+ ```
34
+
35
+ ### 5. Mass Assignment
36
+ ```
37
+ Risk: Modify protected fields
38
+ Test: Add unexpected fields to request
39
+ ```
40
+
41
+ ---
42
+
43
+ ## 🧪 Testing Checklist
44
+
45
+ ### Phase 1: Discovery
46
+ - [ ] API endpoints identified
47
+ - [ ] HTTP methods discovered (GET, POST, PUT, DELETE, PATCH)
48
+ - [ ] Authentication method identified (Bearer, API Key, OAuth, JWT)
49
+ - [ ] Content-Type identified (JSON, XML, form-data)
50
+ - [ ] Versioning detected (v1, v2, /api/)
51
+
52
+ ### Phase 2: Authentication Testing
53
+ - [ ] API key exposure in URL (should be in header)
54
+ - [ ] Bearer token manipulation
55
+ - [ ] JWT attacks (alg confusion, none, weak secret)
56
+ - [ ] Session fixation
57
+ - [ ] Token expiration bypass
58
+ - [ ] Password reset via API
59
+ - [ ] MFA bypass attempts
60
+
61
+ ### Phase 3: Authorization Testing
62
+ - [ ] Horizontal privilege escalation (access other users)
63
+ - [ ] Vertical privilege escalation (admin access)
64
+ - [ ] IDOR in resource endpoints
65
+ - [ ] Parameter manipulation
66
+ - [ ] Path traversal in URLs
67
+
68
+ ### Phase 4: Input Validation
69
+ - [ ] SQL Injection
70
+ - [ ] NoSQL Injection (MongoDB operators)
71
+ - [ ] Command Injection
72
+ - [ ] XSS (in JSON responses)
73
+ - [ ] XML Injection (if XML API)
74
+ - [ ] JSON Manipulation
75
+
76
+ ### Phase 5: Rate Limiting
77
+ - [ ] Rate limit present?
78
+ - [ ] Bypass via header manipulation (X-Forwarded-For)
79
+ - [ ] Bypass via IP rotation
80
+ - [ ] Bypass via user-agent rotation
81
+ - [ ] Business logic abuse (coupon reuse, price manipulation)
82
+
83
+ ### Phase 6: Business Logic
84
+ - [ ] Workflow bypass
85
+ - [ ] Race condition
86
+ - [ ] Mass assignment
87
+ - [ ] Insufficient workflow validation
88
+ - [ ] Time-based logic abuse
89
+
90
+ ### Phase 7: Data Exposure
91
+ - [ ] Sensitive data in responses (PII, passwords, tokens)
92
+ - [ ] Stack traces in errors
93
+ - [ ] Debug endpoints exposed
94
+ - [ ] Verbose logging
95
+ - [ ] Default/error messages leak info
96
+
97
+ ### Phase 8: Configuration
98
+ - [ ] CORS misconfiguration
99
+ - [ ] HTTP methods enabled (TRACE, OPTIONS)
100
+ - [ ] SSL/TLS issues
101
+ - [ ] Security headers missing
102
+ - [ ] Sensitive fields in Swagger/OpenAPI
103
+
104
+ ---
105
+
106
+ ## 🔧 Common API Payloads
107
+
108
+ ### SQL Injection
109
+ ```json
110
+ {"id": "1 OR 1=1"}
111
+ {"id": "1' OR '1'='1"}
112
+ {"id": "1; DROP TABLE users--"}
113
+ ```
114
+
115
+ ### NoSQL Injection
116
+ ```json
117
+ {"id": {"$ne": null}}
118
+ {"id": {"$gt": ""}}
119
+ {"username": {"$regex": ".*"}}
120
+ {"password": {"$ne": ""}}
121
+ ```
122
+
123
+ ### Mass Assignment
124
+ ```json
125
+ {"user_id": 123, "role": "admin"}
126
+ {"price": 1, "admin": true}
127
+ ```
128
+
129
+ ### Bypass Rate Limiting
130
+ ```bash
131
+ # Via X-Forwarded-For
132
+ curl -H "X-Forwarded-For: 1.2.3.4" api.target.com
133
+
134
+ # Via X-Real-IP
135
+ curl -H "X-Real-IP: 1.2.3.4" api.target.com
136
+
137
+ # Via X-Originating-IP
138
+ curl -H "X-Originating-IP: 1.2.3.4" api.target.com
139
+ ```
140
+
141
+ ### IDOR Tests
142
+ ```bash
143
+ # Change user ID
144
+ GET /api/users/123/profile
145
+ GET /api/users/124/profile
146
+
147
+ # Change resource ID
148
+ GET /api/orders/1001
149
+ GET /api/orders/1002
150
+
151
+ # Change UUID
152
+ GET /api/documents/abc-123
153
+ GET /api/documents/abc-124
154
+ ```
155
+
156
+ ---
157
+
158
+ ## 🛠️ Tools
159
+
160
+ ```bash
161
+ # Burp Suite (Recommended)
162
+ # - Intruder for fuzzing
163
+ # - Repeater for testing
164
+ # - Active Scanner
165
+
166
+ # sqlmap for API SQLi
167
+ sqlmap -u "https://api.target.com/users?id=1" --level=5 --risk=3
168
+
169
+ # ffuf for fuzzing
170
+ ffuf -w wordlist.txt -u https://api.target.com/FUZZ
171
+
172
+ # JWT attacks
173
+ python -m jwt_tool <JWT> -T
174
+ hashcat -a 0 -m 16500 jwt.txt wordlist.txt
175
+
176
+ # API enumeration
177
+ nmap --script=http-enum api.target.com
178
+ ```
179
+
180
+ ---
181
+
182
+ ## 📋 API Security Score
183
+
184
+ | Area | Score | Weight |
185
+ |------|-------|--------|
186
+ | Authentication | /20 | High |
187
+ | Authorization | /20 | Critical |
188
+ | Rate Limiting | /15 | High |
189
+ | Input Validation | /15 | Critical |
190
+ | Data Exposure | /15 | High |
191
+ | Configuration | /15 | Medium |
192
+
193
+ **Total: /100**
194
+
195
+ ---
196
+
197
+ ## 🛡️ Secure API Checklist
198
+
199
+ - [ ] JWT with strong secret (HS256 min 256-bit)
200
+ - [ ] Token expiration set
201
+ - [ ] Proper authorization on every endpoint
202
+ - [ ] Rate limiting enabled
203
+ - [ ] Input validation on all parameters
204
+ - [ ] Sensitive data not in responses
205
+ - [ ] Security headers set
206
+ - [ ] CORS properly configured
207
+ - [ ] No verbose errors in production
208
+ - [ ] API versioning
209
+ - [ ] Logging without sensitive data
210
+ - [ ] HTTPS only