快速判断
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
适合任务
- 把重复任务整理成可复用的 AI 操作流程。
- 让 AI 在特定场景下按统一规范执行。
- 为团队或个人工作流提供可复制的任务说明。
输入与输出
输入:任务目标、上下文材料、文件路径、约束条件或需要处理的内容。
输出:按 Skill 说明生成的文档、代码、检查结果、计划、建议或操作步骤。
示例任务
- 使用 api-security-testing 帮我处理当前任务,并说明执行前需要确认的输入。
- 根据 api-security-testing 的说明,给我一个安全的使用步骤清单。
安装方式
- 下载本站提供的 Skill ZIP 并解压。
- 把解压后的 Skill 目录放入当前 AI 工具支持的
skills目录。 - 如需在线查看原始内容,可打开 GitHub 的
SKILL.md。
风险边界
使用前请检查权限、外部依赖和要处理的数据类型。不要把密码、密钥、身份信息或敏感客户资料交给未经确认的 Skill。
SKILL.md 文档介绍
API Security Testing Workflow
Overview
Specialized workflow for testing REST and GraphQL API security including authentication, authorization, rate limiting, input validation, and API-specific vulnerabilities.
When to Use This Workflow
Use this workflow when:
- Testing REST API security
- Assessing GraphQL endpoints
- Validating API authentication
- Testing API rate limiting
- Bug bounty API testing
Workflow Phases
Phase 1: API Discovery
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingscanning-tools- API scanning
Actions
1. Enumerate endpoints
2. Document API methods
3. Identify parameters
4. Map data flows
5. Review documentation
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to discover API endpointsPhase 2: Authentication Testing
Skills to Invoke
broken-authentication- Auth testingapi-security-best-practices- API auth
Actions
1. Test API key validation
2. Test JWT tokens
3. Test OAuth2 flows
4. Test token expiration
5. Test refresh tokens
Copy-Paste Prompts
Use @broken-authentication to test API authenticationPhase 3: Authorization Testing
Skills to Invoke
idor-testing- IDOR testing
Actions
1. Test object-level authorization
2. Test function-level authorization
3. Test role-based access
4. Test privilege escalation
5. Test multi-tenant isolation
Copy-Paste Prompts
Use @idor-testing to test API authorizationPhase 4: Input Validation
Skills to Invoke
api-fuzzing-bug-bounty- API fuzzingsql-injection-testing- Injection testing
Actions
1. Test parameter validation
2. Test SQL injection
3. Test NoSQL injection
4. Test command injection
5. Test XXE injection
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to fuzz API parametersPhase 5: Rate Limiting
Skills to Invoke
api-security-best-practices- Rate limiting
Actions
1. Test rate limit headers
2. Test brute force protection
3. Test resource exhaustion
4. Test bypass techniques
5. Document limitations
Copy-Paste Prompts
Use @api-security-best-practices to test rate limitingPhase 6: GraphQL Testing
Skills to Invoke
api-fuzzing-bug-bounty- GraphQL fuzzing
Actions
1. Test introspection
2. Test query depth
3. Test query complexity
4. Test batch queries
5. Test field suggestions
Copy-Paste Prompts
Use @api-fuzzing-bug-bounty to test GraphQL securityPhase 7: Error Handling
Skills to Invoke
api-security-best-practices- Error handling
Actions
1. Test error messages
2. Check information disclosure
3. Test stack traces
4. Verify logging
5. Document findings
Copy-Paste Prompts
Use @api-security-best-practices to audit API error handlingAPI Security Checklist
- [ ] Authentication working
- [ ] Authorization enforced
- [ ] Input validated
- [ ] Rate limiting active
- [ ] Errors sanitized
- [ ] Logging enabled
- [ ] CORS configured
- [ ] HTTPS enforced
Quality Gates
- [ ] All endpoints tested
- [ ] Vulnerabilities documented
- [ ] Remediation provided
- [ ] Report generated
Related Workflow Bundles
security-audit- Security auditingweb-security-testing- Web securityapi-development- API development
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.