Specialized API security scanner covering GraphQL introspection, REST abuse, WebSocket exploitation, SOAP/XXE, rate limiting bypass, and schema harvesting.
- GraphQL Recon — Introspection queries, schema extraction
- GraphQL Exploit — Field suggestion bruteforce, batching attacks, nested query DoS
- GraphQL Brute — Mutation/query name enumeration
- REST Abuse — Method switching, version downgrade (
/v1/vs/v2/) - WebSocket — WS endpoint discovery, message injection, auth bypass
- SOAP/XXE — WSDL disclosure, operation enumeration, XML External Entity
- Rate Bypass — Header manipulation, IP rotation, slow-rate attacks
- Schema Harvest — API documentation, swagger/OpenAPI extraction
- Cross-tool input — Reads findings from access.sh and hunt.sh output
- VRT-ready — Findings pre-categorized
- Resume support — Continue from last phase
- Chaining — Works with hunt.sh findings
sudo pacman -S curl jqgraphql-cli nuclei arjun paramspidergit clone https://github.com/Sharon-Needles/api
cd api
sudo ln -s "$(pwd)/api.sh" /usr/local/bin/apiapi --target "Company" --domains scope.txt --platform bugcrowdapi --target "Company" -u api_endpoints.txt --platform hackeroneapi --resume ./hunts/Company_API_20260423_120000Usage: api.sh [OPTIONS]
Options:
--target NAME Target name
--domains FILE Domains (finds /api endpoints)
-u, --urls FILE API URLs directly
--platform PLATFORM bugcrowd | hackerone
--resume PATH Resume hunt
-h, --help Show help
Company_API_20260423_*/
├── phase_1_graphql_recon.txt
├── phase_2_graphql_exploit.txt
├── phase_3_graphql_brute.txt
├── phase_4_rest_abuse.txt
├── phase_5_websocket.txt
├── phase_6_soap_xxe.txt
├── phase_7_rate_bypass.txt
├── phase_8_schema_harvest.txt
├── findings.txt
├── [SUBMIT:Px].txt
└── report.md
# Extract API endpoints from hunt phase 3
cat ./hunts/Target_*/phase_3_sweep.json | jq '.[] | select(.url | contains("/api")) | .url' > api.txt
api --target "Target" -u api.txt --platform bugcrowd- BlackArch Linux
- Bash 5.x
MIT
Use responsibly with explicit permission only.