chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,171 @@
|
||||
---
|
||||
name: api-security-testing
|
||||
description: "API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices."
|
||||
category: granular-workflow-bundle
|
||||
risk: safe
|
||||
source: personal
|
||||
date_added: "2026-02-27"
|
||||
---
|
||||
|
||||
# API Security Testing Workflow
|
||||
|
||||
## Overview
|
||||
|
||||
Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.
|
||||
|
||||
## When to Use This Workflow
|
||||
|
||||
Use this workflow when:
|
||||
- Testing REST API security
|
||||
- Assessing GraphQL endpoints
|
||||
- Validating API authentication
|
||||
- Testing API rate limiting
|
||||
- Bug bounty API testing
|
||||
|
||||
## Workflow Phases
|
||||
|
||||
### Phase 1: API Discovery
|
||||
|
||||
#### Skills to Invoke
|
||||
- `api-fuzzing-bug-bounty` - API fuzzing
|
||||
- `scanning-tools` - API scanning
|
||||
|
||||
#### Actions
|
||||
1. Enumerate endpoints
|
||||
2. Document API methods
|
||||
3. Identify parameters
|
||||
4. Map data flows
|
||||
5. Review documentation
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @api-fuzzing-bug-bounty to discover API endpoints
|
||||
```
|
||||
|
||||
### Phase 2: Authentication Testing
|
||||
|
||||
#### Skills to Invoke
|
||||
- `broken-authentication` - Auth testing
|
||||
- `api-security-best-practices` - API auth
|
||||
|
||||
#### Actions
|
||||
1. Test API key validation
|
||||
2. Test JWT tokens
|
||||
3. Test OAuth2 flows
|
||||
4. Test token expiration
|
||||
5. Test refresh tokens
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @broken-authentication to test API authentication
|
||||
```
|
||||
|
||||
### Phase 3: Authorization Testing
|
||||
|
||||
#### Skills to Invoke
|
||||
- `idor-testing` - IDOR testing
|
||||
|
||||
#### Actions
|
||||
1. Test object-level authorization
|
||||
2. Test function-level authorization
|
||||
3. Test role-based access
|
||||
4. Test privilege escalation
|
||||
5. Test multi-tenant isolation
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @idor-testing to test API authorization
|
||||
```
|
||||
|
||||
### Phase 4: Input Validation
|
||||
|
||||
#### Skills to Invoke
|
||||
- `api-fuzzing-bug-bounty` - API fuzzing
|
||||
- `sql-injection-testing` - Injection testing
|
||||
|
||||
#### Actions
|
||||
1. Test parameter validation
|
||||
2. Test SQL injection
|
||||
3. Test NoSQL injection
|
||||
4. Test command injection
|
||||
5. Test XXE injection
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @api-fuzzing-bug-bounty to fuzz API parameters
|
||||
```
|
||||
|
||||
### Phase 5: Rate Limiting
|
||||
|
||||
#### Skills to Invoke
|
||||
- `api-security-best-practices` - Rate limiting
|
||||
|
||||
#### Actions
|
||||
1. Test rate limit headers
|
||||
2. Test brute force protection
|
||||
3. Test resource exhaustion
|
||||
4. Test bypass techniques
|
||||
5. Document limitations
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @api-security-best-practices to test rate limiting
|
||||
```
|
||||
|
||||
### Phase 6: GraphQL Testing
|
||||
|
||||
#### Skills to Invoke
|
||||
- `api-fuzzing-bug-bounty` - GraphQL fuzzing
|
||||
|
||||
#### Actions
|
||||
1. Test introspection
|
||||
2. Test query depth
|
||||
3. Test query complexity
|
||||
4. Test batch queries
|
||||
5. Test field suggestions
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @api-fuzzing-bug-bounty to test GraphQL security
|
||||
```
|
||||
|
||||
### Phase 7: Error Handling
|
||||
|
||||
#### Skills to Invoke
|
||||
- `api-security-best-practices` - Error handling
|
||||
|
||||
#### Actions
|
||||
1. Test error messages
|
||||
2. Check information disclosure
|
||||
3. Test stack traces
|
||||
4. Verify logging
|
||||
5. Document findings
|
||||
|
||||
#### Copy-Paste Prompts
|
||||
```
|
||||
Use @api-security-best-practices to audit API error handling
|
||||
```
|
||||
|
||||
## API Security Checklist
|
||||
|
||||
- [ ] Authentication working
|
||||
- [ ] Authorization enforced
|
||||
- [ ] Input validated
|
||||
- [ ] Rate limiting active
|
||||
- [ ] Errors sanitized
|
||||
- [ ] Logging enabled
|
||||
- [ ] CORS configured
|
||||
- [ ] HTTPS enforced
|
||||
|
||||
## Quality Gates
|
||||
|
||||
- [ ] All endpoints tested
|
||||
- [ ] Vulnerabilities documented
|
||||
- [ ] Remediation provided
|
||||
- [ ] Report generated
|
||||
|
||||
## Related Workflow Bundles
|
||||
|
||||
- `security-audit` - Security auditing
|
||||
- `web-security-testing` - Web security
|
||||
- `api-development` - API development
|
||||
Reference in New Issue
Block a user