API Fuzzing
Automated security testing for discovering API vulnerabilities
Table of Contents
API Fuzzing is an automated security testing technique used to discover vulnerabilities in APIs. It works by sending massive amounts of unexpected, malformed, or random data (payloads) to API endpoints and parameters, then analyzing the responses for errors, crashes, information leaks, or security weaknesses such as input validation failures, injection flaws (SQLi, XSS), authentication/authorization bypass, IDOR, mass assignment, business logic flaws, rate limiting issues, and hidden endpoints or parameters.
Pro Tips
- Fuzzing finds unknown vulnerabilities automated tools miss
- Test different data types: JSON, XML, form data, headers
- Look for error messages that reveal internal information
Before starting API fuzzing, you need the right tools installed and configured.
Tools & Resources
Pro Tips
- ffuf is fastest - learn its flags well
- SecLists has wordlists for every scenario
- Use Burp with ffuf via proxy for full capture
Start with simple parameter fuzzing using GET requests. This discovers hidden parameters that may reveal additional functionality or vulnerabilities.
Commands
ffuf -u "https://api.target.com/user?id=FUZZ" -w wordlist.txt -mc 200,403ffuf -u "https://api.target.com/search?q=FUZZ" -w wordlist.txt -mc 200ffuf -u "https://api.target.com/item/FUZZ" -w wordlist.txt -mc 200,201,204Pro Tips
- Start with small wordlists for speed
- Match multiple status codes with -mc flag
- Check for different response sizes with -fs
Discover hidden API endpoints that may not be documented or publicly accessible.
Commands
ffuf -u https://api.target.com/FUZZ -w SecLists/Discovery/Web-Content/api-endpoints.txt -mc 200ffuf -u https://api.target.com/api/v1/FUZZ -w wordlist.txt -mc 200,201,204ffuf -u https://api.target.com/FUZZ -w SecLists/Discovery/Web-Content/data-science.txt -mc 200Pro Tips
- Check /api/, /v1/, /v2/ prefixes
- Look for admin or internal endpoints
- Test common API patterns: rest, graphql, soap
Fuzz POST endpoints with JSON payloads. This is common for authentication and data submission endpoints.
Commands
ffuf -u https://api.target.com/login -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"FUZZ"}' -w passwords.txtffuf -u https://api.target.com/register -X POST -H "Content-Type: application/json" -d '{"email":"FUZZ@test.com","password":"test123"}' -w wordlist.txtffuf -u https://api.target.com/api/submit -X POST -H "Content-Type: application/json" -d '{"data":"FUZZ"}' -w wordlist.txtPro Tips
- Always set correct Content-Type header
- Test for SQL injection in JSON fields
- Look for error messages in responses
Use clusterbomb mode to fuzz multiple parameters simultaneously. This is useful for credential stuffing and multi-field testing.
Commands
ffuf -mode clusterbomb -u https://api.target.com/login -X POST -d '{"username":"USER","password":"PASS"}' -w users.txt:USER -w passwords.txt:PASS -mc 200ffuf -mode clusterbomb -u https://api.target.com/search -d '{"query":"QUERY","filter":"FILTER"}' -w queries.txt:QUERY -w filters.txt:FILTER -mc 200ffuf -mode clusterbomb -u https://api.target.com/transfer -X POST -d '{"from":"FROM","to":"TO","amount":"AMOUNT"}' -w accounts.txt:FROM -w amounts.txt:AMOUNT -fc 401,403Pro Tips
- Clusterbomb tries all combinations
- Use -fc to filter error codes
- Can generate many requests - use -t to limit
Fuzz HTTP headers to discover authentication bypass, API key exposure, or rate limiting issues.
Commands
ffuf -u https://api.target.com/admin -H "Authorization: Bearer FUZZ" -w tokens.txt -mc 200,403ffuf -u https://api.target.com/api -H "X-Api-Key: FUZZ" -w api-keys.txt -mc 200ffuf -u https://api.target.com/user -H "X-Forwarded-For: FUZZ" -w ips.txt -fs 0ffuf -u https://api.target.com/admin -H "X-Admin: FUZZ" -w wordlist.txt -mc 200,403Pro Tips
- Common headers: Authorization, X-API-Key, X-Token
- Test for host header injection too
- Look for different responses when headers change
Use recursive scanning to discover nested directories and API paths.
Commands
ffuf -u https://api.target.com/FUZZ -w directories.txt -recursion -recursion-depth 3ffuf -u https://api.target.com/FUZZ -w directories.txt -recursion -e .json,.xml,.bakffuf -u https://api.target.com/api/v1/FUZZ -w wordlist.txt -recursion -recursion-depth 2 -mc 200Pro Tips
- Be careful with recursion depth
- Use extensions to find config files
- Can find backup files this way
Test with special characters and edge cases to find input validation vulnerabilities.
Commands
ffuf -u https://api.target.com/users -X POST -d '{"name":"FUZZ"}' -w SecLists/Fuzzing/big-list-of-naughty-strings.txt -mc 500ffuf -u "https://api.target.com/search?q=FUZZ" -w SecLists/Fuzzing/Injection-SQL.txt -mc 500,400ffuf -u "https://api.target.com/user?name=FUZZ" -w SecLists/Fuzzing/Soft/web-proxies.txt -mc 400,500Pro Tips
- Watch for 500 status - internal errors
- SQLi, XSS, Command injection possible
- Check for reflected data in response
Discover API subdomains and virtual hosts that may contain different functionality.
Commands
ffuf -u https://FUZZ.api.target.com -w subdomains.txt -mc 200ffuf -u https://api.target.com -H "Host: FUZZ" -w vhosts.txt -fs 12345ffuf -u https://FUZZ.target.com -w wordlist.txt -mc 200,403Pro Tips
- Look for api-internal, dev, staging
- VHost can reveal different content
- Check DNS records for additional targets
Test SOAP and other XML-based APIs for vulnerabilities.
Commands
ffuf -u https://api.target.com/user -X POST -H "Content-Type: application/xml" -d '<user><FUZZ>value</FUZZ></user>' -w fields.txtffuf -u https://api.target.com/soap -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><soap><FUZZ></FUZZ></soap>' -w xml-tags.txtffuf -u https://api.target.com/api -X POST -H "Content-Type: application/xml" -d '<request><FUZZ>test</FUZZ></request>' -w fields.txt -fc 400,500Pro Tips
- SOAP APIs often haveXXE vulnerabilities
- Test for XXE with external entities
- Check XML parser behavior
Common flags to enhance your fuzzing commands. Master these for efficient testing.
Commands
-t 100-mc 200,201,204,301,403-fs 1234-fw 50-o results.json -of json-x http://127.0.0.1:8080-v-s-rate 50-timeout 10Pro Tips
- Combine -mc and -fc for precision
- Use -o for reporting to clients
- Always use proxy for bug bounty programs
wfuzz is another powerful fuzzer with slightly different syntax. Good alternative for specific scenarios.
Commands
wfuzz -c -z file,users.txt -z file,passwords.txt -d "username=FUZZ&password=FUZZ2" --hs "Invalid" https://api.target.com/loginwfuzz -c -z file,parameters.txt -u "https://api.target.com/?FUZZ=1"wfuzz -c -z file,wordlist.txt -u "https://api.target.com/FUZZ" --hc 404wfuzz -c -z file,wordlist.txt -u "https://api.target.com/api/FUZZ" -w highcard.txtPro Tips
- wfuzz syntax differs from ffuf
- Use --hc/--hs to filter responses
- Good for complex filtering scenarios
Follow these best practices for effective and safe API fuzzing.
Pro Tips
- Always start with small wordlists
- Use proxies when testing live targets
- Test on authorized bug bounty programs or labs only
- Document all findings with steps to reproduce
- Check rate limiting - don't get blocked
- Look for information in error messages
- Test all HTTP methods: GET, POST, PUT, DELETE, PATCH
- Analyze response times for timing-based attacks
- Check for business logic vulnerabilities
- Don't forget to test headers and cookies
Quick ffuf Flags Reference
-t 100threads-mc 200,403match codes-fs 1234filter size-o out.jsonoutput-x proxyproxy-mode clusterbombmulti-posFor educational and authorized testing purposes only. Always obtain proper authorization before testing.