API Fuzzing for Bug Bounty

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors. Identify API type and enumerate endpoints: Insecure Direct Object Reference is the most common API vulnerability: IDOR Bypass Techniques: SQL Injection in JSON: Command Injection: XXE Injection: SSRF via API: .NET Path.Combine Vulnerability: Fetch entire backend schema: URL-encoded version: When receiving 403/401, try these bypasses: Must: Must Not: Should: - Burp Suite or similar proxy tool - API wordlists (SecLists, api_wordlist) - Understanding of REST/GraphQL/SOAP protocols - Python for scripting - Target API endpoints and documentation (if available) - Identified API vulnerabilities - IDOR exploitation proofs - Authentication bypass techniques - SQL injection points - Unauthorized data access documentation - Test mobile, web, and developer APIs separately - Check all API versions (/v1, /v2, /v3) - Validate both authenticated and unauthenticated access - Assume same security controls across API versions - Skip testing undocumented endpoints - Ignore rate limiting checks - Add X-Requested-With: XMLHttpRequest header to simulate frontend - Check archive.org for historical API endpoints - Test for race conditions on sensitive operations