Skill

fuzzing-apis

Runs API fuzzing with Schemathesis, RESTler, fast-check, and OWASP ZAP to detect crashes, edge cases, and vulnerabilities in REST/GraphQL endpoints from OpenAPI specs.

REST API

GraphQL

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin api-fuzzer

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGrepGlobBash(test:fuzz-*)

Preview

Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.

Supporting Assets

assets/README.mdassets/report_template.mdreferences/README.mdscripts/README.mdscripts/generate_payloads.py

SKILL.md

Similar Skills

performing-api-fuzzing-with-restler

Performs stateful REST API fuzzing with Microsoft RESTler using OpenAPI specs to generate test sequences, discover dependencies, and detect bugs like 500 errors, auth bypasses, and injections. For automated API security testing.

asi

performing-api-fuzzing-with-restler

5.9k

Fuzzes stateful REST APIs with Microsoft RESTler using OpenAPI specs to generate test sequences, detect producer-consumer deps, and find security/reliability bugs like 500s, auth bypasses, leaks.

3 files

cybersecurity-skills

api-fuzzing-bug-bounty

36.5k

Provides techniques for fuzzing and testing REST, SOAP, and GraphQL APIs in bug bounty hunting and pentesting. Covers auth bypass, IDOR exploitation, injections, and vuln discovery.

antigravity-awesome-skills

Stats

Parent Repo Stars1853

Parent Repo Forks248

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

API Fuzzer

Overview

Prerequisites

API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
Target API running in a test environment (never fuzz production)
Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
API authentication credentials for protected endpoints
Error logging enabled on the target server to capture crashes and stack traces

Instructions

Parse the API specification to identify all endpoints, methods, and input schemas:
- Read OpenAPI spec files using Glob (**/openapi.yaml, **/swagger.json).
- Catalog each endpoint's parameters (path, query, header, body) and their types.
- Note validation constraints (min/max, pattern, enum, required fields).
Configure the fuzzing strategy:
- Schema-based: Generate inputs that violate schema constraints (wrong types, missing fields, extra fields).
- Mutation-based: Start with valid requests and mutate individual fields (bit flips, boundary values, special characters).
- Dictionary-based: Use known problematic inputs (SQL injection, XSS payloads, format strings, null bytes).
Define fuzz input categories for each parameter type:
- Strings: Empty, very long (10K+ chars), unicode, null bytes, format strings (%s%n), path traversal (../../etc/passwd).
- Numbers: 0, -1, MAX_INT, MIN_INT, NaN, Infinity, floats where ints expected.
- Arrays: Empty, single element, thousands of elements, nested arrays, mixed types.
- Objects: Empty, missing required fields, extra unknown fields, deeply nested (100+ levels).
- Dates: Invalid formats, epoch zero, far future, negative timestamps.
Execute the fuzzing campaign:
- Run Schemathesis: schemathesis run http://localhost:3000/openapi.json --stateful=links.
- Or run RESTler: restler-fuzzer fuzz --grammar_file grammar.py.
- Or write custom fuzz tests with fast-check/Hypothesis for targeted endpoints.
- Set a time budget (30-60 minutes for initial run).
Analyze findings:
- 5xx responses: Unhandled server errors -- file as bugs.
- Crashes/hangs: Application process terminated or stopped responding.
- Resource exhaustion: Memory/CPU spike from malicious payloads.
- Information disclosure: Stack traces, internal paths, or credentials in error responses.
For each finding, create a minimal reproducer (smallest input that triggers the issue).
Write regression tests for confirmed bugs to prevent reintroduction.

Output

Fuzz campaign report with discovered issues sorted by severity
Minimal reproducer for each finding (curl command or test case)
Categorized findings: crashes, unhandled errors, security issues, validation gaps
Regression test file with one test per confirmed bug
Coverage metrics showing which endpoints and parameters were fuzzed

Error Handling

Error	Cause	Solution
Fuzzer cannot parse API spec	Invalid or incomplete OpenAPI specification	Validate the spec with `swagger-cli validate`; fix schema errors before fuzzing
All requests return 401	Authentication not configured in fuzzer	Provide auth headers via `--set-header "Authorization: Bearer TOKEN"` or config file
Server crashes during fuzzing	Unhandled exception or resource exhaustion	Restart the server with a process manager; enable crash dump collection; add OOM killer threshold
Too many false positives (500 errors)	Application returns 500 for expected validation errors	Filter known error patterns; configure the fuzzer to ignore specific response bodies
Fuzzer generates unrealistic inputs	Schema-based generation produces impossible combinations	Add `x-examples` to the OpenAPI spec; use stateful fuzzing to maintain valid sequences

Examples

Schemathesis OpenAPI fuzzing:

# Basic schema-based fuzzing
schemathesis run http://localhost:3000/api/openapi.json \  # 3000: 3 seconds in ms
  --stateful=links \
  --hypothesis-max-examples=500 \  # HTTP 500 Internal Server Error
  --base-url=http://localhost:3000 \  # 3 seconds in ms
  --header "Authorization: Bearer $TEST_TOKEN"

# With specific checks
schemathesis run http://localhost:3000/api/openapi.json \  # 3 seconds in ms
  --checks all \
  --validate-schema=true

fast-check property-based API test:

import fc from 'fast-check';
import request from 'supertest';
import { app } from '../src/app';

test('POST /api/users handles arbitrary input without crashing', async () => {
  await fc.assert(
    fc.asyncProperty(
      fc.record({
        name: fc.string(),
        email: fc.string(),
        age: fc.oneof(fc.integer(), fc.string(), fc.constant(null)),
      }),
      async (body) => {
        const res = await request(app).post('/api/users').send(body);
        expect(res.status).toBeLessThan(500); // No server errors  # HTTP 500 Internal Server Error
      }
    ),
    { numRuns: 200 }  # HTTP 200 OK
  );
});

Custom fuzz dictionary for injection testing:

[
  "' OR '1'='1",
  "<script>alert(1)</script>",
  "${7*7}",
  "{{7*7}}",
  "../../../etc/passwd",
  "\u0000",
  "A".repeat(100000)  # 100000 = configured value
]

Resources

Schemathesis: https://schemathesis.readthedocs.io/
RESTler (Microsoft): https://github.com/microsoft/restler-fuzzer
fast-check (property-based testing): https://fast-check.dev/
Hypothesis (Python): https://hypothesis.readthedocs.io/
OWASP Fuzzing: https://owasp.org/www-community/Fuzzing