API Breaker
Automated API security testing for REST, GraphQL, and WebSocket APIs.
What It Does
Discovers API endpoints, reconstructs schemas from responses, and tests for object-level authorization flaws (BOLA/IDOR), function-level authorization bypass (BFLA), mass assignment, JWT attacks, rate limiting bypass, and business logic vulnerabilities. Covers OpenAPI, GraphQL introspection, and WebSocket message analysis.
Scripts
| Script | Description |
|---|---|
api_discovery | Endpoint discovery — OpenAPI specs, JS source extraction, common path brute force |
schema_builder | Schema reconstruction from response shapes, type inference, and parameter mapping |
auth_analyzer | Authentication analysis — token formats, expiry, refresh flows, misconfigurations |
authz_tester | Authorization testing — BOLA/IDOR across object IDs, BFLA across roles |
mass_assignment | Mass assignment probing — hidden params, nested object injection |
rate_limiter | Rate limit testing — threshold detection, bypass via headers and IP rotation |
graphql_tester | GraphQL introspection, query depth attacks, batching, field suggestion leaks |
websocket_tester | WebSocket handshake analysis, message tampering, CSWSH testing |
jwt_tester | JWT attacks — alg=none, key confusion, kid injection, weak HMAC secrets |
api_report | Structured API security report with endpoint-risk mapping |
When to Use
Use when the target exposes REST, GraphQL, SOAP, or WebSocket APIs. Run api_discovery first, then feed endpoints into schema_builder, followed by targeted testers.
Usage
RedTeamScript(skill="api-breaker", script="jwt_tester", args="--token eyJhbGciOi... --output jwt.json")