Skip to content

API Security & GraphQL Fuzzing #43

New issue
New issue
Open
Open
API Security & GraphQL Fuzzing#43
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
@samugit83

Description

@samugit83
samugit83
opened on Mar 5, 2026

Description

OpenAPI parsing, GraphQL introspection, BOLA/IDOR/injection fuzzing per OWASP API Top 10.

What already exists

  • Kiterunner API bruteforcer with 354K+ Swagger/OpenAPI-derived routes
  • GraphQL endpoint detection (/graphql, /gql, /api/graphql)
  • BOLA/IDOR risk classification (id_params detection)
  • Nuclei DAST mode for active fuzzing
  • API parameter categorization (id, file, auth, redirect, command params)

What needs to be built

  • GraphQL introspection and schema enumeration
  • GraphQL query/mutation fuzzing
  • OpenAPI spec parsing for automated test case generation
  • Dedicated BOLA/IDOR automated exploitation
  • JWT/OAuth/API key authentication testing
  • CORS/CSRF API testing
  • Rate limiting bypass detection
  • OWASP API Top 10 coverage mapping

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Projects

    RedAmon Roadmap

    Status

    Up for grabs

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions