Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From appsec
Analyzes REST and RPC APIs for OWASP API Security Top 10 vulnerabilities including BOLA, mass assignment, rate limiting, broken function-level authorization, and excessive data exposure using semgrep, bandit, and brakeman.
npx claudepluginhub florianbuetow/claude-code --plugin appsecHow this skill is triggered — by the user, by Claude, or both
Slash command
/appsec:apiThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze REST and RPC APIs for security vulnerabilities aligned with the OWASP
Scans API code for OWASP Top 10 vulnerabilities: injection, BOLA, broken auth, mass assignment, excessive data exposure, missing rate limits, and weak validation.
Audits REST, GraphQL, and RPC APIs against OWASP API Security Top 10, focusing on BOLA, authentication, and access control.
Identifies OWASP API Security Top 10 (2023) vulnerabilities like BOLA in REST, GraphQL, gRPC APIs during audits, with code examples and detection patterns for Express, Flask, Spring Boot, Go.
Share bugs, ideas, or general feedback.
Analyze REST and RPC APIs for security vulnerabilities aligned with the OWASP API Security Top 10, including Broken Object-Level Authorization (BOLA), mass assignment, missing rate limiting, broken function-level authorization, and excessive data exposure. API-specific vulnerabilities arise from the unique patterns of programmatic access, where client-side UI constraints do not apply.
Read ../../shared/schemas/flags.md for the full flag specification. This skill
supports all cross-cutting flags. Key flags for this skill:
--scope determines which files to analyze (default: changed)--depth standard reads code and checks API endpoint handlers--depth deep traces data from request to database to response serialization--severity filters output (API issues are often high or critical)Key CWEs in scope:
OWASP API Security Top 10 (2023) categories:
Read references/detection-patterns.md for the full catalog of code patterns,
search heuristics, language-specific examples, and false positive guidance.
Parse flags and resolve the file list per ../../shared/schemas/flags.md.
Filter to files likely to contain API logic:
**/routes/**, **/api/**, **/endpoints/**)**/controllers/**, **/handlers/**, **/views/**)**/serializers/**, **/dto/**, **/schemas/**)**/middleware/**, **/middlewares/**)**/config/**, **/limiters/**)Detect scanners per ../../shared/schemas/scanners.md:
semgrep -- primary scanner for API patternsbandit -- Python API security issuesbrakeman -- Rails API vulnerabilitiesRecord which scanners are available and which are missing.
If semgrep is available, run with rules targeting API security:
semgrep scan --config auto --json --quiet <target>
Filter results to rules matching BOLA, mass assignment, authorization, and data exposure patterns. Normalize output to the findings schema.
Regardless of scanner availability, perform manual code analysis:
When --depth deep, additionally trace:
Format output per ../../shared/schemas/findings.md using the API prefix
(e.g., API-001, API-002).
Include for each finding:
These are the high-signal patterns specific to API security. Each maps
to a detection pattern in references/detection-patterns.md.
Broken Object-Level Authorization (BOLA) -- API endpoints accept a resource ID from the client and return data without verifying the requesting user owns or is authorized to access that resource.
Mass assignment -- Request body fields are bound directly to database model attributes, allowing attackers to set fields they should not control (role, price, isAdmin).
Missing rate limiting -- API endpoints lack rate limiting, allowing brute-force attacks on authentication, enumeration, and resource exhaustion.
Broken function-level authorization -- Admin or privileged API endpoints are accessible to regular users because they check authentication but not authorization role/permissions.
Excessive data exposure -- API responses include sensitive fields (password hashes, tokens, internal metadata) that the client does not need.
Missing input validation -- API endpoints accept unbounded inputs (no max length, no type validation) enabling injection and resource abuse.
| Scanner | Coverage | Command |
|---|---|---|
| semgrep | BOLA, mass assignment, missing auth | semgrep scan --config auto --json --quiet <target> |
| bandit | Python API security patterns | bandit -r <target> -f json -q |
| brakeman | Rails mass assignment, authorization | brakeman -q -f json -o /dev/stdout |
Fallback (no scanner): Use Grep with patterns from references/detection-patterns.md
to find API route definitions, model binding, rate limiting config, and response
serialization. Report findings with confidence: medium.
Use the findings schema from ../../shared/schemas/findings.md.
API (e.g., API-001)apiapiAPIAPI1:2023, API3:2023, etc.CWE-639, CWE-915, CWE-770I (Information Disclosure) or E (Elevation of Privilege)Severity guidance for this category: