version: "1.0.1" name: api-security description: API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques.
API Security
Test API endpoints for security vulnerabilities across REST, GraphQL, WebSocket, and LLM-integrated APIs.
Techniques
| Type | Key Vectors | |
|---|
| GraphQL | Introspection, batching attacks, nested query DoS, field suggestion | |
| REST API | BOLA/IDOR, mass assignment, rate limiting, auth bypass, versioning | |
| WebSocket | Cross-site hijacking, message manipulation, auth flaws | |
| Web-LLM | Prompt injection via API, excessive agency, data exfiltration | |
Workflow
- Discover API endpoints and documentation (Swagger, GraphQL schema)
- Map authentication and authorization mechanisms
- Test per API type using appropriate techniques
- Validate data exposure and access control flaws
- Capture evidence with HTTP request/response logs
Reference
reference/graphql*.md - GraphQL attack techniques and labsreference/scenarios/rest/*.md - REST API security testing (BOLA/BOPLA, mass assignment, SSPP, content-type confusion)reference/websockets*.md - WebSocket vulnerability testingreference/web-llm*.md - Web-LLM attack techniques and labs