--- name: pentest-api description: API security testing — REST/GraphQL/WebSocket, OWASP API Top 10, JWT/OAuth analiz, mass assignment, broken object-level authorization advisory. Triggers on API pentest, OWASP API, REST security, GraphQL test, WebSocket, JWT analysis, OAuth flow, BOLA, BFLA, mass assignment. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents api-security --- # pentest-api REST + GraphQL + WebSocket guvenlik testi methodology. OWASP API Security Top 10 (2023) odakli. ## Triggers - "API pentest" - "OWASP API Top 10" - "GraphQL introspection" - "JWT swap denemesi" - "OAuth flow test" - "BOLA / BFLA" - "mass assignment" - "WebSocket guvenlik" ## OWASP API Top 10 (2023) | # | Kategori | Test Yaklasimi | |---|----------|---------------| | API1 | BOLA (Broken Object Level Auth) | /users/123 -> /users/124 enum, yetkisiz veri erisimi | | API2 | Broken Authentication | Token replay, JWT manipulation, brute force endpoint | | API3 | Broken Object Property Level Auth | Mass assignment (admin: true), excessive exposure | | API4 | Unrestricted Resource Consumption | Rate limit eksik, pagination size, file upload size | | API5 | BFLA (Broken Function Level Auth) | /admin/* user role ile erisilir mi | | API6 | Unrestricted Business Flows | Bizlogic exploit (pentest-bizlogic'e devret) | | API7 | SSRF | URL parametre cloud metadata reach | | API8 | Security Misconfig | Verbose error, CORS *, default endpoint | | API9 | Improper Inventory | v1/v2 ayni endpoint farkli auth, shadow API | | API10 | Unsafe Consumption of 3rd Party API | API anahtari exfil, response trust | ## REST Test Methodology ``` 1. Spec dokuman bul: /swagger.json, /openapi.yaml, /api-docs 2. Endpoint listele + auth gereksinimleri 3. BOLA: numeric ID enum (user_id, doc_id, order_id) 4. BFLA: rol degisikligi (cookie/header swap) 5. Rate limit: 100 istek/sn 60sn icinde 6. CORS: Origin: evil.com -> reflect? 7. Verbose error: malformed body, sql-like input ``` ## GraphQL Test ```bash # Introspection check (QUIET) curl -X POST https:///graphql -H 'Content-Type: application/json' -d '{"query":"{__schema{types{name fields{name}}}}"}' # Common queries - Field suggestion (typo) -> auto-suggest reveal - Batching: tek POST'ta 1000 query (DoS hazirlik testi) - Alias overloading - Deep nesting: { user { friend { friend { ... } } } } depth 10+ ``` ## JWT Analiz | Test | Yaklasim | |------|----------| | alg: none | Header'i `{"alg":"none","typ":"JWT"}` yap, imzayi sil | | alg confusion | RS256 -> HS256, public key'i secret olarak kullan | | kid injection | `kid: ../../../dev/null` (SQL kid varsa SQLi) | | exp ignore | exp gecmis, server yine de kabul ediyor mu | | Weak secret | hashcat ile JWT secret crack (offline) | ```bash # QUIET — decode only (hicbir hedefe istek yok) echo "" | python3 -c "import sys,jwt; print(jwt.decode(sys.stdin.read().strip(), options={'verify_signature': False}))" ``` ## OAuth Flow Test - redirect_uri tampering: evil.com'a token gonderme - state parameter eksik -> CSRF - response_type=token (implicit) hala destekleniyor mu - PKCE eksik (mobile/SPA icin zorunlu) - scope creep: minimal scope iste, max scope geldi mi - Refresh token rotation eksik ## Mass Assignment Test ```http POST /api/users Content-Type: application/json { "name": "test", "email": "test@example.com", "isAdmin": true, # mass assignment "subscription": "premium" # mass assignment } ``` Response'da `isAdmin: true` donerse zafiyet var. ## WebSocket - Origin header validation eksik mi (CSRF-like) - Authentication tek handshake'te mi (mid-session re-auth?) - Message size limit - Binary message + WS Frame manipulation ## Output Sablonu ```markdown ## API Analiz — ### Bulgu - [HIGH] BOLA in GET /api/orders/{id} — user A, user B siparisini gorebiliyor - [MEDIUM] GraphQL introspection production'da acik - [LOW] CORS Origin reflection (sadece null origin) ### Test Edilmemis Alanlar - BFLA admin endpoint (admin token yok) - WebSocket /ws — handshake test edilmedi - Rate limit thresholdu (musteri test penceresi disinda) ``` ## Out-of-Scope - Live brute force (pentest-credentials) - DDoS via rate limit absent - Token replay attack saglayan automated tool