Skill

api-security-review

Performs API security review against OWASP API Top 10 (2023). Audits OpenAPI/Swagger specs, REST/GraphQL/gRPC implementations, auth mechanisms, rate limiting, SSRF, and gateways with attack scenarios.

OpenAPI

REST API

npx claudepluginhub cmaenner/agent-security-playbook

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Perform comprehensive API security assessment following `plays/tier1-code-analysis/api-security-review.md`.

SKILL.md

Similar Skills

OWASP API Security Top 10 (2023)

faos-security-engineer

OWASP API Security Top 10

Identifies OWASP API Security Top 10 (2023) vulnerabilities like BOLA in REST, GraphQL, gRPC APIs during audits, with code examples and detection patterns for Express, Flask, Spring Boot, Go.

vuln-scout

testing-api-security-with-owasp-top-10

Assesses REST and GraphQL API endpoints against OWASP API Security Top 10 risks using ffuf fuzzing, Burp Suite, Postman collections, and manual curl tests. For authorized pen testing before production.

asi

Stats

Stars5

Forks2

Last CommitMar 7, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

API Security Review

Perform comprehensive API security assessment following plays/tier1-code-analysis/api-security-review.md.

Steps

Discovery & Reconnaissance

Parse OpenAPI/Swagger specs or scan code for endpoints
Identify authentication mechanisms (JWT, OAuth 2.0, API keys, mTLS)
Map API gateway and middleware configurations
Enumerate all API versions and deprecated endpoints

Authentication Deep Dive

JWT security (algorithm confusion, weak signing, token expiration)
OAuth 2.0 flows (PKCE, state parameter, redirect URI validation)
API key exposure and rotation policies
Session management and token storage

Assess All 10 OWASP API Risks with attack scenarios:

API1 BOLA — IDOR via predictable IDs, batch endpoint bypasses, ownership verification gaps
API2 Broken Authentication — JWT attacks, OAuth flaws, brute force, credential stuffing
API3 BOPA — Mass assignment, response over-exposure, field-level authz bypasses
API4 Resource Consumption — Rate limit bypasses, pagination abuse, GraphQL DoS
API5 BFLA — Admin endpoint discovery, horizontal/vertical privilege escalation
API6 Business Flows — Automated abuse, inventory exhaustion, scraping attacks
API7 SSRF — URL bypasses, DNS rebinding, cloud metadata access
API8 Misconfiguration — CORS bypasses, verbose errors, missing headers
API9 Inventory — Shadow APIs, zombie endpoints, version confusion
API10 Unsafe Consumption — XXE, deserialization, webhook replay attacks

Automated Testing

Run API security scanners (OWASP ZAP, Burp Suite, Postman tests)
Test for common vulnerabilities with specific payloads
Validate rate limiting and throttling mechanisms

API Gateway & Infrastructure Review

Kong, nginx, Envoy, AWS API Gateway configurations
WAF rules and bypass opportunities
TLS configuration and certificate validation

Output

Comprehensive API security report including:

API surface inventory with authentication mechanisms

Risk matrix with severity ratings for all 10 categories

Detailed findings with proof-of-concept examples

Exploit scenarios and business impact analysis

Prioritized remediation roadmap with code examples

Testing artifacts and vulnerability evidence

OWASP References

OWASP API Security Top 10 (2023)

OWASP ASVS v5.0 — V13: API and Web Service

OWASP Testing Guide: WSTG-APIT

OWASP Cheat Sheet: REST Security, GraphQL Security, JWT Security, OAuth 2.0

API Security Review

Perform comprehensive API security assessment following plays/tier1-code-analysis/api-security-review.md.

Steps

Discovery & Reconnaissance

Parse OpenAPI/Swagger specs or scan code for endpoints
Identify authentication mechanisms (JWT, OAuth 2.0, API keys, mTLS)
Map API gateway and middleware configurations
Enumerate all API versions and deprecated endpoints

Authentication Deep Dive

JWT security (algorithm confusion, weak signing, token expiration)
OAuth 2.0 flows (PKCE, state parameter, redirect URI validation)
API key exposure and rotation policies
Session management and token storage

Assess All 10 OWASP API Risks with attack scenarios:

API1 BOLA — IDOR via predictable IDs, batch endpoint bypasses, ownership verification gaps
API2 Broken Authentication — JWT attacks, OAuth flaws, brute force, credential stuffing
API3 BOPA — Mass assignment, response over-exposure, field-level authz bypasses
API4 Resource Consumption — Rate limit bypasses, pagination abuse, GraphQL DoS
API5 BFLA — Admin endpoint discovery, horizontal/vertical privilege escalation
API6 Business Flows — Automated abuse, inventory exhaustion, scraping attacks
API7 SSRF — URL bypasses, DNS rebinding, cloud metadata access
API8 Misconfiguration — CORS bypasses, verbose errors, missing headers
API9 Inventory — Shadow APIs, zombie endpoints, version confusion
API10 Unsafe Consumption — XXE, deserialization, webhook replay attacks

Automated Testing

Run API security scanners (OWASP ZAP, Burp Suite, Postman tests)
Test for common vulnerabilities with specific payloads
Validate rate limiting and throttling mechanisms

API Gateway & Infrastructure Review

Kong, nginx, Envoy, AWS API Gateway configurations
WAF rules and bypass opportunities
TLS configuration and certificate validation

Output

Comprehensive API security report including:

API surface inventory with authentication mechanisms

Risk matrix with severity ratings for all 10 categories

Detailed findings with proof-of-concept examples

Exploit scenarios and business impact analysis

Prioritized remediation roadmap with code examples

Testing artifacts and vulnerability evidence

OWASP References

OWASP API Security Top 10 (2023)

OWASP ASVS v5.0 — V13: API and Web Service

OWASP Testing Guide: WSTG-APIT

OWASP Cheat Sheet: REST Security, GraphQL Security, JWT Security, OAuth 2.0