zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-testing-api-fuzzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:22:55 +08:00
commit 2364e84646
9 changed files with 1011 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "api-fuzzer",
"description": "Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection",
"version": "1.0.0",
"author": {
"name": "Claude Code Plugin Hub",
"email": "[email protected]"
},
"skills": [
"./skills"
],
"commands": [
"./commands"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# api-fuzzer
Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection

779
commands/fuzz-api.md Normal file
View File

@@ -0,0 +1,779 @@
---
description: Fuzz test APIs with malformed inputs and edge cases
shortcut: fuzz
---
# API Fuzzer
Automated fuzz testing for REST APIs to discover vulnerabilities, crashes, and unexpected behavior through malformed inputs, boundary values, and random payloads. This command generates comprehensive fuzz test suites targeting injection attacks, input validation failures, and edge cases.
## Design Decisions
**Why fuzz testing matters:**
- **Security**: Discovers SQL injection, XSS, command injection vulnerabilities
- **Robustness**: Finds crashes from unexpected inputs before users do
- **Edge cases**: Uncovers boundary conditions developers didn't consider
- **Compliance**: Validates input sanitization meets security standards
**Alternatives considered:**
- **Manual testing**: Too slow, can't cover mutation space
- **Property-based testing**: Good for unit tests, less suited for API integration
- **Penetration testing tools**: Expensive, requires security expertise
- **Static analysis**: Misses runtime-only issues
**This approach balances**: Automation, coverage, security focus, and integration with CI/CD.
## When to Use
Use API fuzzing when:
- Testing security-critical APIs (auth, payment, admin endpoints)
- Validating input sanitization and validation logic
- Finding edge cases before production incidents
- Meeting security compliance requirements (PCI-DSS, SOC 2)
- Testing third-party API integration error handling
- Preparing for penetration testing or security audits
Don't use when:
- API has no user input (static data endpoints)
- Building proof-of-concept with no security requirements
- Input validation is already exhaustively tested
- Time-sensitive release without CI/CD integration
## Prerequisites
- Existing REST API with endpoints to test
- Node.js 16+ or Python 3.8+ for fuzzing scripts
- API documentation (OpenAPI/Swagger or manual endpoint list)
- (Optional) Authentication credentials or test accounts
- (Optional) CI/CD pipeline for automated fuzzing
- (Optional) Security monitoring tools (SIEM, IDS)
## Process
1. **Identify Attack Surface**
- List all API endpoints accepting user input
- Identify input types (strings, numbers, JSON, files)
- Prioritize high-risk endpoints (auth, admin, payment)
2. **Generate Fuzz Inputs**
- Malformed data (null, undefined, empty, overflow)
- Injection payloads (SQL, XSS, command injection)
- Boundary values (max int, negative, infinity)
- Type confusion (string as int, object as array)
3. **Execute Fuzz Tests**
- Send fuzz inputs to all endpoints
- Monitor responses for crashes, 500 errors, timeouts
- Capture stack traces and error details
4. **Analyze Results**
- Categorize vulnerabilities by severity (critical, high, medium)
- Create reproducible test cases for failures
- Generate security report with findings
5. **Remediate and Retest**
- Fix discovered vulnerabilities
- Add regression tests for fixed issues
- Rerun fuzzer to verify fixes
## Output Format
### Jest Fuzz Test Suite (Node.js)
```javascript
// tests/api-fuzzer.test.js
const axios = require('axios');
const API_BASE = process.env.API_URL || 'http://localhost:3000';
// Fuzz input generators
const fuzzInputs = {
// String mutations
strings: [
'', // Empty
null,
undefined,
' ', // Whitespace
'A'.repeat(10000), // Very long
'A'.repeat(1000000), // Extremely long
'<script>alert(1)</script>', // XSS
'<img src=x onerror=alert(1)>', // XSS variant
'${7*7}', // Template injection
'{{7*7}}', // Template injection variant
'\x00', // Null byte
'\n\r\t', // Control characters
'../../etc/passwd', // Path traversal
'../../../etc/passwd', // Path traversal variant
'\\x41\\x42\\x43', // Hex encoding
],
// SQL injection payloads
sqlInjection: [
"' OR '1'='1",
"' OR '1'='1' --",
"' OR '1'='1' /*",
"1; DROP TABLE users--",
"1' UNION SELECT NULL, NULL--",
"admin'--",
"' OR 1=1--",
"1' ORDER BY 10--", // Column enumeration
],
// Number mutations
numbers: [
0,
-1,
1,
999999999999999999, // Large positive
-999999999999999999, // Large negative
Infinity,
-Infinity,
NaN,
Number.MAX_SAFE_INTEGER,
Number.MIN_SAFE_INTEGER,
Number.MAX_VALUE,
Number.MIN_VALUE,
3.14159265358979323846, // Floating point
],
// Boolean mutations
booleans: [
true,
false,
'true',
'false',
1,
0,
'yes',
'no',
],
// Object/Array mutations
structures: [
{},
[],
{ __proto__: { polluted: true } }, // Prototype pollution
{ constructor: { prototype: { polluted: true } } },
[[[[[]]]]]], // Deeply nested
new Array(10000).fill('x'), // Large array
],
// Special characters
special: [
'!@#$%^&*()',
'"><script>alert(1)</script>',
'%00', // URL-encoded null byte
'%0A', // URL-encoded newline
'\\', // Backslash
'/', // Forward slash
'..\\..\\..\\', // Windows path traversal
],
};
describe('API Fuzz Testing', () => {
describe('POST /api/users - Create User', () => {
it('handles malformed string inputs gracefully', async () => {
for (const input of fuzzInputs.strings) {
try {
const response = await axios.post(`${API_BASE}/api/users`, {
name: input,
email: 'test@example.com',
}, { validateStatus: () => true }); // Accept all status codes
// Should not crash (500) or hang
expect(response.status).not.toBe(500);
expect(response.status).toBeLessThan(500);
// Should return proper error for invalid input
if (response.status >= 400) {
expect(response.data).toHaveProperty('error');
}
} catch (error) {
// Network errors are acceptable (timeouts, connection refused)
if (error.code !== 'ECONNABORTED' && error.code !== 'ECONNREFUSED') {
throw error;
}
}
}
});
it('prevents SQL injection', async () => {
for (const payload of fuzzInputs.sqlInjection) {
const response = await axios.post(`${API_BASE}/api/users`, {
name: payload,
email: payload,
}, { validateStatus: () => true });
// Should not execute SQL
expect(response.status).not.toBe(200);
expect(response.status).toBe(400); // Should be validation error
// Should not leak database errors
if (response.data.error) {
expect(response.data.error.toLowerCase()).not.toMatch(/sql|database|query/);
}
}
});
it('handles numeric boundary values', async () => {
for (const input of fuzzInputs.numbers) {
const response = await axios.post(`${API_BASE}/api/users`, {
age: input,
name: 'Test User',
email: 'test@example.com',
}, { validateStatus: () => true });
expect(response.status).not.toBe(500);
// Should validate range
if (input < 0 || input > 150) {
expect(response.status).toBe(400);
}
}
});
it('validates deeply nested objects', async () => {
for (const input of fuzzInputs.structures) {
const response = await axios.post(`${API_BASE}/api/users`, {
metadata: input,
name: 'Test',
email: 'test@example.com',
}, { validateStatus: () => true });
expect(response.status).not.toBe(500);
}
});
});
describe('GET /api/users/:id - Get User', () => {
it('handles malformed ID parameters', async () => {
const idInputs = [
...fuzzInputs.strings,
...fuzzInputs.sqlInjection,
...fuzzInputs.special,
];
for (const input of idInputs) {
const response = await axios.get(
`${API_BASE}/api/users/${encodeURIComponent(input)}`,
{ validateStatus: () => true }
);
expect(response.status).not.toBe(500);
// Should be 400 (bad request) or 404 (not found)
expect([400, 404]).toContain(response.status);
}
});
});
describe('Query Parameter Fuzzing', () => {
it('handles malformed query parameters', async () => {
for (const input of fuzzInputs.strings) {
const response = await axios.get(`${API_BASE}/api/users`, {
params: { search: input },
validateStatus: () => true,
});
expect(response.status).not.toBe(500);
}
});
it('prevents injection via query params', async () => {
for (const payload of fuzzInputs.sqlInjection) {
const response = await axios.get(`${API_BASE}/api/users`, {
params: { filter: payload },
validateStatus: () => true,
});
expect(response.status).not.toBe(500);
// Should not return all users or execute SQL
if (response.status === 200) {
expect(response.data.length).toBe(0); // No results for invalid filter
}
}
});
});
});
```
### Python REST-Assured Fuzzer
```python
# tests/test_api_fuzzer.py
import pytest
import requests
from typing import Any, List
import string
import random
API_BASE = "http://localhost:3000"
class FuzzInputGenerator:
"""Generate various fuzz inputs for API testing"""
@staticmethod
def string_mutations() -> List[Any]:
return [
"", # Empty
None,
" ", # Whitespace
"A" * 10000, # Very long
"<script>alert(1)</script>", # XSS
"${7*7}", # Template injection
"../../etc/passwd", # Path traversal
"\x00", # Null byte
]
@staticmethod
def sql_injection_payloads() -> List[str]:
return [
"' OR '1'='1",
"' OR '1'='1' --",
"1; DROP TABLE users--",
"admin'--",
]
@staticmethod
def number_mutations() -> List[Any]:
return [
0, -1, 999999999999999999,
-999999999999999999,
float('inf'), float('-inf'),
]
@staticmethod
def generate_random_string(length: int = 100) -> str:
"""Generate random string with special characters"""
chars = string.ascii_letters + string.digits + string.punctuation
return ''.join(random.choice(chars) for _ in range(length))
class TestAPIFuzzing:
"""Comprehensive API fuzz tests"""
def test_string_input_handling(self):
"""Test API handles malformed string inputs"""
for input_value in FuzzInputGenerator.string_mutations():
response = requests.post(
f"{API_BASE}/api/users",
json={"name": input_value, "email": "test@example.com"},
timeout=5
)
# Should not crash (500)
assert response.status_code < 500, \
f"Server error with input: {repr(input_value)}"
# Should return proper error for invalid input
if response.status_code >= 400:
assert "error" in response.json()
def test_sql_injection_prevention(self):
"""Test API prevents SQL injection"""
for payload in FuzzInputGenerator.sql_injection_payloads():
response = requests.post(
f"{API_BASE}/api/users",
json={"name": payload, "email": payload},
timeout=5
)
# Should reject malicious input
assert response.status_code != 200, \
f"Accepted SQL injection: {payload}"
# Should not leak database errors
if response.status_code >= 400:
error_text = response.text.lower()
assert "sql" not in error_text
assert "database" not in error_text
def test_numeric_boundary_values(self):
"""Test numeric input boundaries"""
for value in FuzzInputGenerator.number_mutations():
response = requests.post(
f"{API_BASE}/api/users",
json={
"name": "Test User",
"email": "test@example.com",
"age": value
},
timeout=5
)
assert response.status_code < 500
def test_random_fuzzing(self):
"""Random fuzz testing with generated inputs"""
for _ in range(100): # 100 random tests
random_data = {
"name": FuzzInputGenerator.generate_random_string(random.randint(1, 1000)),
"email": FuzzInputGenerator.generate_random_string(20),
"age": random.randint(-1000, 1000),
}
response = requests.post(
f"{API_BASE}/api/users",
json=random_data,
timeout=5
)
# Should handle gracefully
assert response.status_code < 500
def test_header_injection(self):
"""Test header injection vulnerabilities"""
malicious_headers = {
"X-Forwarded-For": "' OR '1'='1",
"User-Agent": "<script>alert(1)</script>",
"Referer": "javascript:alert(1)",
}
response = requests.get(
f"{API_BASE}/api/users",
headers=malicious_headers,
timeout=5
)
assert response.status_code < 500
```
## Example Usage
### Example 1: Automated Fuzzing in CI/CD
```javascript
// .github/workflows/fuzz-tests.yml
name: API Fuzz Testing
on: [push, pull_request]
jobs:
fuzz:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Start API server
run: npm run start:test &
- name: Wait for API
run: npx wait-on http://localhost:3000/health
- name: Run fuzz tests
run: npm run test:fuzz
- name: Upload fuzz report
if: failure()
uses: actions/upload-artifact@v2
with:
name: fuzz-report
path: ./fuzz-report.html
```
### Example 2: Custom Fuzzer with OpenAPI Spec
```javascript
// fuzzer/openapi-fuzzer.js
const SwaggerParser = require('@apidevtools/swagger-parser');
const axios = require('axios');
async function fuzzFromOpenAPI(specPath) {
const api = await SwaggerParser.validate(specPath);
for (const [path, methods] of Object.entries(api.paths)) {
for (const [method, operation] of Object.entries(methods)) {
if (method === 'get' || method === 'post') {
console.log(`Fuzzing ${method.toUpperCase()} ${path}`);
// Generate fuzz inputs based on parameters
const fuzzInputs = generateFuzzInputs(operation.parameters);
for (const input of fuzzInputs) {
const response = await axios[method](
`${api.servers[0].url}${path}`,
input,
{ validateStatus: () => true }
);
if (response.status === 500) {
console.error(`CRASH FOUND: ${method} ${path}`, input);
}
}
}
}
}
}
function generateFuzzInputs(parameters) {
// Generate based on parameter schemas
return [
/* fuzz inputs */
];
}
fuzzFromOpenAPI('./openapi.yaml');
```
### Example 3: Continuous Fuzzing with AFL-inspired Approach
```python
# fuzzer/continuous_fuzzer.py
import requests
import random
import json
from datetime import datetime
class ContinuousFuzzer:
"""Continuously fuzz API endpoints with mutations"""
def __init__(self, base_url: str, endpoints: list):
self.base_url = base_url
self.endpoints = endpoints
self.crashes = []
def mutate_string(self, s: str) -> str:
"""Mutate string with random changes"""
mutations = [
lambda x: x + chr(random.randint(0, 255)), # Append random char
lambda x: x[:len(x)//2], # Truncate
lambda x: x * 100, # Repeat
lambda x: x.replace('a', '<script>'), # XSS injection
lambda x: x + "' OR '1'='1", # SQL injection
]
return random.choice(mutations)(s)
def fuzz_endpoint(self, endpoint: str, method: str = "POST"):
"""Fuzz single endpoint"""
seed_data = {"name": "test", "email": "test@test.com"}
for _ in range(1000): # 1000 iterations
# Mutate seed data
fuzzed_data = {}
for key, value in seed_data.items():
if isinstance(value, str):
fuzzed_data[key] = self.mutate_string(value)
else:
fuzzed_data[key] = value
# Send request
try:
response = requests.request(
method,
f"{self.base_url}{endpoint}",
json=fuzzed_data,
timeout=5
)
# Detect crashes
if response.status_code == 500:
self.crashes.append({
"endpoint": endpoint,
"input": fuzzed_data,
"response": response.text,
"timestamp": datetime.now().isoformat()
})
except requests.exceptions.Timeout:
# Potential hang/DoS
self.crashes.append({
"endpoint": endpoint,
"input": fuzzed_data,
"error": "timeout",
"timestamp": datetime.now().isoformat()
})
def run(self, duration_minutes: int = 60):
"""Run continuous fuzzing"""
import time
start_time = time.time()
while (time.time() - start_time) < (duration_minutes * 60):
endpoint = random.choice(self.endpoints)
self.fuzz_endpoint(endpoint)
# Save crash report
with open('crash_report.json', 'w') as f:
json.dump(self.crashes, f, indent=2)
print(f"Found {len(self.crashes)} crashes")
# Usage
fuzzer = ContinuousFuzzer(
base_url="http://localhost:3000",
endpoints=["/api/users", "/api/orders", "/api/products"]
)
fuzzer.run(duration_minutes=60)
```
## Error Handling
**Common issues and solutions:**
**Problem**: Fuzzer overwhelms API with requests
- **Cause**: No rate limiting in fuzzer
- **Solution**: Add delays between requests, respect API rate limits
**Problem**: False positives (valid errors reported as crashes)
- **Cause**: Fuzzer doesn't understand expected behavior
- **Solution**: Define expected error codes (400, 404), only flag 500s as crashes
**Problem**: Fuzzer credentials get rate-limited or blocked
- **Cause**: Too many failed auth attempts
- **Solution**: Use test credentials, whitelist test IPs, reset between runs
**Problem**: Fuzzing breaks production data
- **Cause**: Fuzzer running against production environment
- **Solution**: Always fuzz staging/test environments, use test data
**Problem**: Can't reproduce crashes
- **Cause**: Fuzzer doesn't log exact inputs that caused crashes
- **Solution**: Log all inputs, responses, timestamps for crash reproduction
## Configuration
### Fuzzer Configuration File
```javascript
// fuzzer.config.js
module.exports = {
target: {
baseUrl: process.env.API_URL || 'http://localhost:3000',
endpoints: [
{ path: '/api/users', method: 'POST' },
{ path: '/api/users/:id', method: 'GET' },
{ path: '/api/orders', method: 'POST' },
],
},
authentication: {
type: 'bearer', // 'bearer' | 'basic' | 'apiKey'
token: process.env.TEST_API_TOKEN,
},
fuzzing: {
iterations: 1000, // Tests per endpoint
timeout: 5000, // Request timeout (ms)
delay: 100, // Delay between requests (ms)
concurrent: 5, // Concurrent requests
},
inputs: {
strings: true, // Enable string fuzzing
numbers: true, // Enable number fuzzing
sqlInjection: true, // Enable SQL injection tests
xss: true, // Enable XSS tests
customPayloads: [ // Custom payloads
'{{7*7}}',
'${7*7}',
],
},
reporting: {
output: './fuzz-report.html',
verbose: false,
onCrash: (crash) => {
console.error('CRASH:', crash);
// Send alert (Slack, PagerDuty, etc.)
},
},
skipEndpoints: [
'/api/health', // Skip health checks
'/api/metrics', // Skip metrics
],
};
```
## Best Practices
DO:
- Run fuzzing in staging/test environments, never production
- Log all crash-inducing inputs for reproducibility
- Integrate fuzzing into CI/CD pipeline
- Fuzz high-risk endpoints (auth, payment, admin) more thoroughly
- Use realistic seed data (from production, anonymized)
- Monitor API during fuzzing for crashes and anomalies
- Combine fuzzing with other security testing (SAST, DAST, pen testing)
DON'T:
- Fuzz production APIs without explicit permission
- Use production credentials or test accounts in fuzzer
- Ignore 400-level errors (they might indicate security issues)
- Run unbounded fuzzing (set time/iteration limits)
- Skip regression tests after fixing fuzz-discovered bugs
- Overlook API dependencies (databases, external APIs)
TIPS:
- Start with known payloads (OWASP, SecLists) before random fuzzing
- Use OpenAPI specs to auto-generate fuzz tests
- Combine grammar-based and mutation-based fuzzing
- Monitor server logs, not just HTTP responses
- Fuzz at multiple levels (headers, body, query params, path params)
- Use corpus of real user inputs as seed data
## Related Commands
- `/scan-api-security` - Comprehensive security scanning
- `/validate-schemas` - Schema validation testing
- `/run-load-test` - Performance testing under load
- `/generate-rest-api` - Generate APIs with built-in validation
- `/implement-error-handling` - Proper error handling to prevent info leaks
## Performance Considerations
- **Fuzzing throughput**: 100-1000 requests/sec depending on API complexity
- **Coverage**: Aim for 80%+ code coverage with fuzz tests
- **Duration**: Run continuous fuzzing (1+ hours) to find rare bugs
- **Resource usage**: Monitor CPU/memory during fuzzing to detect leaks
**Optimization strategies:**
- Use parallel fuzzing with multiple workers
- Cache API responses to avoid redundant tests
- Prioritize high-risk endpoints for deeper fuzzing
- Use smart fuzzing (AFL-style coverage guidance)
## Security Considerations
- **Authorization**: Fuzz with different permission levels (guest, user, admin)
- **Rate limiting**: Verify fuzzing doesn't bypass rate limits
- **Logging**: Ensure malicious inputs are logged for security monitoring
- **Secrets**: Never log sensitive data (passwords, tokens) from fuzz inputs
- **Compliance**: Document fuzzing for security compliance (SOC 2, ISO 27001)
**Security checklist:**
- [ ] Fuzz authentication endpoints (login, register, password reset)
- [ ] Test authorization bypass (accessing other users' data)
- [ ] Validate input sanitization (XSS, SQL injection)
- [ ] Check file upload endpoints (malicious files, XXE)
- [ ] Test CSRF protection
- [ ] Verify error messages don't leak sensitive info
## Troubleshooting
**Fuzzer hangs or times out:**
1. Increase request timeout setting
2. Check for infinite loops in API code
3. Monitor API server resources (CPU, memory)
4. Reduce concurrent fuzzing requests
**No crashes found:**
1. Verify API is actually receiving fuzz inputs
2. Check if input validation is too strict (rejecting all fuzz inputs)
3. Increase fuzzing iterations
4. Use smarter fuzzing strategies (grammar-based, mutation-based)
**Too many false positives:**
1. Define expected error codes (400, 404, 401, 403)
2. Only flag 500-level errors as crashes
3. Review API logs to understand error causes
4. Adjust fuzzer configuration
**Can't reproduce crashes:**
1. Ensure fuzzer logs exact inputs that caused crashes
2. Check if crash is timing-dependent (race condition)
3. Verify environment matches (same data, same config)
4. Use deterministic fuzzing (fixed seed) for reproducibility
## Version History
- **1.0.0** (2025-10-11): Initial release with comprehensive fuzzing
- String, number, SQL, XSS payload generation
- Jest and pytest test suites
- OpenAPI-driven fuzzing
- Continuous fuzzing with crash detection
- CI/CD integration examples
- Security best practices and checklist

65
plugin.lock.json Normal file
View File

@@ -0,0 +1,65 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/testing/api-fuzzer",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "9043a498e6816660e76e082836607e5977abe14c",
"treeHash": "e840ce69cd1cf58447a9887bdf6bc0e23e5d90ebaa19af8e32b11629f8e79311",
"generatedAt": "2025-11-28T10:18:06.448231Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "api-fuzzer",
"description": "Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "b5a512619deeabb5fbd090950b22914bf827b64691bfe8498039fa2e8f952ce6"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "2fbffd2d266e3ff8a16c71dba60b3b4d4946e0e6b1a5849144928c1bf5bfe21b"
},
{
"path": "commands/fuzz-api.md",
"sha256": "c9d93bf48355e060d099e68462aa4a5838844f51be1024125bbc2bcd92bdd64a"
},
{
"path": "skills/api-fuzzer/SKILL.md",
"sha256": "4ef70747dc5dbc64a89c9b1050c00da59707bdf1a7e1a336f6d90a0ee71c886f"
},
{
"path": "skills/api-fuzzer/references/README.md",
"sha256": "6cc56029f1072be264090a08f3d411972dfac47c9f113031386e7164454f429b"
},
{
"path": "skills/api-fuzzer/scripts/README.md",
"sha256": "ae34447a71d5f50aa4c7c59d6e3ce0ffbccdb352e3b32b934639336eb6573eb6"
},
{
"path": "skills/api-fuzzer/assets/report_template.md",
"sha256": "08d2e539e727f3be88ad08be9a1f60b584cfcd09ecefa7f22cd1182198000b32"
},
{
"path": "skills/api-fuzzer/assets/README.md",
"sha256": "11a77ffc9ef9186aa089e6b2758ec1dc04522fe63cee47b887ef681a3d3a8136"
}
],
"dirSha256": "e840ce69cd1cf58447a9887bdf6bc0e23e5d90ebaa19af8e32b11629f8e79311"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

54
skills/api-fuzzer/SKILL.md Normal file
View File

@@ -0,0 +1,54 @@
---
name: fuzzing-apis
description: |
This skill enables Claude to perform automated fuzz testing on APIs to discover vulnerabilities, crashes, and unexpected behavior. It leverages malformed inputs, boundary values, and random payloads to generate comprehensive fuzz test suites. Use this skill when you need to identify potential SQL injection, XSS, command injection vulnerabilities, input validation failures, and edge cases in APIs. Trigger this skill by requesting fuzz testing, vulnerability scanning, or security analysis of an API. The skill is invoked using the `/fuzz-api` command.
allowed-tools: Read, Write, Edit, Grep, Glob, Bash
version: 1.0.0
---
## Overview
This skill allows Claude to conduct automated fuzz testing on REST APIs. It identifies potential security flaws and robustness issues by injecting various malformed inputs, boundary values, and random data.
## How It Works
1. **Input Generation**: The skill generates a diverse set of test inputs, including malformed data, boundary values, and random payloads.
2. **API Interaction**: It sends these inputs to the specified API endpoints.
3. **Result Analysis**: It analyzes the API's responses and behavior to identify vulnerabilities, crashes, and unexpected results, such as SQL injection errors or XSS vulnerabilities.
## When to Use This Skill
This skill activates when you need to:
- Identify potential security vulnerabilities in an API.
- Test the robustness of an API against unexpected inputs.
- Ensure proper input validation is implemented in an API.
## Examples
### Example 1: Discovering SQL Injection Vulnerability
User request: "Fuzz test the /users endpoint for SQL injection vulnerabilities."
The skill will:
1. Generate SQL injection payloads.
2. Send these payloads to the /users endpoint.
3. Analyze the API's responses for SQL errors or unexpected behavior indicating a SQL injection vulnerability.
### Example 2: Testing Input Validation
User request: "Fuzz test the /products endpoint to check for input validation issues with price and quantity parameters."
The skill will:
1. Generate malformed inputs for price and quantity (e.g., negative values, extremely large numbers, non-numeric characters).
2. Send these inputs to the /products endpoint.
3. Analyze the API's responses for errors or unexpected behavior, indicating input validation failures.
## Best Practices
- **Specificity**: Be specific about the API endpoint or parameters you want to fuzz.
- **Context**: Provide context about the expected behavior of the API.
- **Iteration**: Run multiple fuzzing sessions with different input sets for thorough testing.
## Integration
This skill can be used in conjunction with other security analysis tools to provide a more comprehensive assessment of an API's security posture. It can also be integrated into a CI/CD pipeline to automate security testing.

6
skills/api-fuzzer/assets/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Assets
Bundled resources for api-fuzzer skill
- [ ] payload_templates/: Directory containing templates for different types of payloads (JSON, XML, etc.).
- [ ] report_template.md: Template for generating the fuzzing report.

75
skills/api-fuzzer/assets/report_template.md Normal file
View File

@@ -0,0 +1,75 @@
# API Fuzzing Report
This report summarizes the results of the API fuzzing performed using the `api-fuzzer` plugin.
## 1. Executive Summary
[**Placeholder:** Briefly summarize the overall findings of the fuzzing process. Highlight any critical vulnerabilities discovered. For example: "The API fuzzing process identified several potential vulnerabilities, including SQL injection vulnerabilities in the user authentication endpoint and XSS vulnerabilities in the data display functionality. Further investigation and remediation are recommended."]
## 2. Target API Information
* **API Endpoint(s) Fuzzed:** [**Placeholder:** List the specific API endpoints that were targeted during the fuzzing process. Example: `/users`, `/products/{id}`, `/login`]
* **API Version:** [**Placeholder:** Specify the version of the API that was fuzzed. Example: v1.0, v2.1]
* **API Description (Optional):** [**Placeholder:** Briefly describe the purpose of the API being fuzzed. Example: "The API provides access to user data and product information."]
* **Authentication Method:** [**Placeholder:** Describe the authentication method used by the API. Example: OAuth 2.0, API Key, Basic Authentication]
## 3. Fuzzing Methodology
* **Fuzzing Techniques Used:**
* Malformed Input Generation: [**Placeholder:** Describe the types of malformed inputs generated. Example: Invalid data types, unexpected characters, oversized strings]
* SQL Injection Testing: [**Placeholder:** Explain the SQL injection payloads used. Example: Payloads designed to bypass input validation and inject SQL code]
* XSS Detection: [**Placeholder:** Describe the XSS payloads used. Example: Payloads designed to inject JavaScript code into the API responses]
* Boundary Value Testing: [**Placeholder:** Explain the boundary values tested. Example: Minimum and maximum allowed values for numeric fields, empty strings]
* Random Payload Generation: [**Placeholder:** Describe the method of random payload generation. Example: Random strings, numbers, and special characters]
* **Number of Requests Sent:** [**Placeholder:** Specify the total number of requests sent to the API during the fuzzing process. Example: 10,000]
* **Fuzzing Duration:** [**Placeholder:** Indicate the total duration of the fuzzing process. Example: 2 hours]
* **Tools Used:** `api-fuzzer` plugin
## 4. Vulnerability Findings
This section details the vulnerabilities identified during the fuzzing process. For each vulnerability, provide the following information:
### Vulnerability #1
* **Vulnerability Type:** [**Placeholder:** Specify the type of vulnerability. Example: SQL Injection, XSS, Buffer Overflow, Denial of Service]
* **Endpoint:** [**Placeholder:** Specify the API endpoint where the vulnerability was found. Example: `/login`]
* **Parameter:** [**Placeholder:** Specify the vulnerable parameter. Example: `username`, `password`]
* **Payload:** [**Placeholder:** Provide the exact payload that triggered the vulnerability. Example: `' OR '1'='1`]
* **Description:** [**Placeholder:** Describe the vulnerability in detail. Explain how the payload triggered the vulnerability and the potential impact. Example: "The `username` parameter is vulnerable to SQL injection. The provided payload bypasses authentication by injecting SQL code that always evaluates to true."]
* **Severity:** [**Placeholder:** Assign a severity level to the vulnerability. Example: Critical, High, Medium, Low]
* **Recommendation:** [**Placeholder:** Provide recommendations for remediating the vulnerability. Example: "Implement parameterized queries or input validation to prevent SQL injection."]
### Vulnerability #2
* **Vulnerability Type:** [**Placeholder:** Specify the type of vulnerability. Example: SQL Injection, XSS, Buffer Overflow, Denial of Service]
* **Endpoint:** [**Placeholder:** Specify the API endpoint where the vulnerability was found. Example: `/products/{id}`]
* **Parameter:** [**Placeholder:** Specify the vulnerable parameter. Example: `id`]
* **Payload:** [**Placeholder:** Provide the exact payload that triggered the vulnerability. Example: `<script>alert('XSS')</script>`]
* **Description:** [**Placeholder:** Describe the vulnerability in detail. Explain how the payload triggered the vulnerability and the potential impact. Example: "The `id` parameter is vulnerable to XSS. The provided payload injects JavaScript code into the API response, which could allow an attacker to steal user cookies or redirect the user to a malicious website."]
* **Severity:** [**Placeholder:** Assign a severity level to the vulnerability. Example: Critical, High, Medium, Low]
* **Recommendation:** [**Placeholder:** Provide recommendations for remediating the vulnerability. Example: "Implement output encoding to prevent XSS attacks."]
[**Repeat the above Vulnerability section for each vulnerability found.**]
## 5. Non-Vulnerability Findings
This section details any unexpected behaviors or potential issues that were identified during the fuzzing process, but do not necessarily constitute a vulnerability.
* **Issue #1:** [**Placeholder:** Describe the issue. Example: "The API returned a 500 error when a very long string was provided as input. While this is not a vulnerability, it could indicate a potential denial-of-service vulnerability."]
* **Recommendation:** [**Placeholder:** Provide recommendations for addressing the issue. Example: "Implement input validation to limit the maximum length of input strings."]
[**Repeat the above Issue section for each non-vulnerability finding.**]
## 6. Conclusion
[**Placeholder:** Summarize the overall results of the fuzzing process and provide recommendations for next steps. Example: "The API fuzzing process identified several potential vulnerabilities that require further investigation and remediation. It is recommended that the development team prioritize addressing these vulnerabilities to improve the security of the API."]
## 7. Appendix
[**Placeholder:** Include any additional information that may be relevant to the report, such as:
* Detailed logs of the fuzzing process
* Sample API responses
* Links to relevant documentation
* Contact information for the fuzzing team
]

7
skills/api-fuzzer/references/README.md Normal file
View File

@@ -0,0 +1,7 @@
# References
Bundled resources for api-fuzzer skill
- [ ] api_fuzzing_best_practices.md: Document outlining best practices for API fuzzing, including common vulnerabilities to look for.
- [ ] payload_examples.md: Document containing examples of different types of payloads used in fuzzing.
- [ ] api_schema.md: Document describing the expected API schema for the target API (if available).

7
skills/api-fuzzer/scripts/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Scripts
Bundled resources for api-fuzzer skill
- [ ] fuzz_api.py: Script to execute the fuzzing process, taking API endpoint and payload types as input.
- [ ] generate_payloads.py: Script to generate various types of payloads (malformed, boundary, random) for fuzzing.
- [ ] report_generator.py: Script to generate a detailed report of the fuzzing results, including vulnerabilities found.