Tech-Specific Attacks

API Fuzzing is an automated security testing technique used to discover vulnerabilities in APIs. It works by sending massive amounts of unexpected, malformed, or random data (payloads) to API endpoints and parameters, then analyzing the responses for errors, crashes, information leaks, or security weaknesses such as input validation failures, injection flaws (SQLi, XSS), authentication/authorization bypass, IDOR, mass assignment, business logic flaws, rate limiting issues, and hidden endpoints or parameters.

Pro Tips

Fuzzing finds unknown vulnerabilities automated tools miss
Test different data types: JSON, XML, form data, headers
Look for error messages that reveal internal information

Before starting API fuzzing, you need the right tools installed and configured.

Tools & Resources

ffuf

Fastest and most recommended - Go-based web fuzter

wfuzz

Good for complex POST requests

SecLists

Best wordlists collection

Burp Suite Intruder

GUI fuzter - great for beginners

RESTler

Smart fuzzing using OpenAPI/Swagger spec

Hoppscotch

For manual testing + collection runner

Pro Tips

ffuf is fastest - learn its flags well
SecLists has wordlists for every scenario
Use Burp with ffuf via proxy for full capture

Start with simple parameter fuzzing using GET requests. This discovers hidden parameters that may reveal additional functionality or vulnerabilities.

Commands

1Basic parameter fuzzing

ffuf -u "https://api.target.com/user?id=FUZZ" -w wordlist.txt -mc 200,403

2Search parameter fuzzing

ffuf -u "https://api.target.com/search?q=FUZZ" -w wordlist.txt -mc 200

3Path parameter fuzzing

ffuf -u "https://api.target.com/item/FUZZ" -w wordlist.txt -mc 200,201,204

Pro Tips

Start with small wordlists for speed
Match multiple status codes with -mc flag
Check for different response sizes with -fs

Discover hidden API endpoints that may not be documented or publicly accessible.

Commands

1API endpoint discovery

ffuf -u https://api.target.com/FUZZ -w SecLists/Discovery/Web-Content/api-endpoints.txt -mc 200

2API v1 endpoint discovery

ffuf -u https://api.target.com/api/v1/FUZZ -w wordlist.txt -mc 200,201,204

3Alternative wordlist

ffuf -u https://api.target.com/FUZZ -w SecLists/Discovery/Web-Content/data-science.txt -mc 200

Pro Tips

Check /api/, /v1/, /v2/ prefixes
Look for admin or internal endpoints
Test common API patterns: rest, graphql, soap

Fuzz POST endpoints with JSON payloads. This is common for authentication and data submission endpoints.

Commands

1Password fuzzing in JSON

ffuf -u https://api.target.com/login -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"FUZZ"}' -w passwords.txt

2Email fuzzing in registration

ffuf -u https://api.target.com/register -X POST -H "Content-Type: application/json" -d '{"email":"FUZZ@test.com","password":"test123"}' -w wordlist.txt

3Generic data fuzzing

ffuf -u https://api.target.com/api/submit -X POST -H "Content-Type: application/json" -d '{"data":"FUZZ"}' -w wordlist.txt

Pro Tips

Always set correct Content-Type header
Test for SQL injection in JSON fields
Look for error messages in responses

Use clusterbomb mode to fuzz multiple parameters simultaneously. This is useful for credential stuffing and multi-field testing.

Commands

1Username + password fuzzing

ffuf -mode clusterbomb -u https://api.target.com/login -X POST -d '{"username":"USER","password":"PASS"}' -w users.txt:USER -w passwords.txt:PASS -mc 200

2Multiple parameter fuzzing

ffuf -mode clusterbomb -u https://api.target.com/search -d '{"query":"QUERY","filter":"FILTER"}' -w queries.txt:QUERY -w filters.txt:FILTER -mc 200

3Transfer parameter fuzzing

ffuf -mode clusterbomb -u https://api.target.com/transfer -X POST -d '{"from":"FROM","to":"TO","amount":"AMOUNT"}' -w accounts.txt:FROM -w amounts.txt:AMOUNT -fc 401,403

Pro Tips

Clusterbomb tries all combinations
Use -fc to filter error codes
Can generate many requests - use -t to limit

Fuzz HTTP headers to discover authentication bypass, API key exposure, or rate limiting issues.

Commands

1Authorization header fuzzing

ffuf -u https://api.target.com/admin -H "Authorization: Bearer FUZZ" -w tokens.txt -mc 200,403

2API key header fuzzing

ffuf -u https://api.target.com/api -H "X-Api-Key: FUZZ" -w api-keys.txt -mc 200

3IP spoofing header fuzzing

ffuf -u https://api.target.com/user -H "X-Forwarded-For: FUZZ" -w ips.txt -fs 0

4Custom header fuzzing

ffuf -u https://api.target.com/admin -H "X-Admin: FUZZ" -w wordlist.txt -mc 200,403

Pro Tips

Common headers: Authorization, X-API-Key, X-Token
Test for host header injection too
Look for different responses when headers change

Fuzz cookies to discover session handling issues, authentication bypass, or privilege escalation.

Commands

1Session cookie fuzzing

ffuf -u https://api.target.com/dashboard -H "Cookie: session=FUZZ" -w cookies.txt -mc 200,403

2Auth token fuzzing

ffuf -u https://api.target.com/profile -H "Cookie: auth=FUZZ" -w tokens.txt -mc 200

3IDOR via cookie fuzzing

ffuf -u https://api.target.com/admin -H "Cookie: role=user" -H "Cookie: user_id=FUZZ" -w ids.txt

Pro Tips

Look for predictable session tokens
Test for privilege escalation
Check if cookies are properly validated

Discover hidden parameters that may not be visible in forms or documented APIs.

Commands

1Hidden parameter discovery

ffuf -u "https://api.target.com/api?FUZZ=test" -w SecLists/Discovery/Web-Content/burp-parameter-names.txt -fs 148

2Additional parameter fuzzing

ffuf -u "https://api.target.com/user?id=1&FUZZ=1" -w wordlist.txt -fs 0,23

3Filter common responses

ffuf -u "https://api.target.com/search?q=test&FUZZ" -w SecLists/Discovery/Web-Content/burp-parameter-names.txt -fc 404

Pro Tips

Use -fs to filter known response sizes
Common hidden params: debug, admin, internal, _id
Also test POST with hidden parameters

Use recursive scanning to discover nested directories and API paths.

Commands

1Recursive directory fuzzing

ffuf -u https://api.target.com/FUZZ -w directories.txt -recursion -recursion-depth 3

2Recursive with extensions

ffuf -u https://api.target.com/FUZZ -w directories.txt -recursion -e .json,.xml,.bak

3API version fuzzing

ffuf -u https://api.target.com/api/v1/FUZZ -w wordlist.txt -recursion -recursion-depth 2 -mc 200

Pro Tips

Be careful with recursion depth
Use extensions to find config files
Can find backup files this way

Test with special characters and edge cases to find input validation vulnerabilities.

Commands

1Input validation fuzzing

ffuf -u https://api.target.com/users -X POST -d '{"name":"FUZZ"}' -w SecLists/Fuzzing/big-list-of-naughty-strings.txt -mc 500

2SQL injection fuzzing

ffuf -u "https://api.target.com/search?q=FUZZ" -w SecLists/Fuzzing/Injection-SQL.txt -mc 500,400

3XSS character fuzzing

ffuf -u "https://api.target.com/user?name=FUZZ" -w SecLists/Fuzzing/Soft/web-proxies.txt -mc 400,500

Pro Tips

Watch for 500 status - internal errors
SQLi, XSS, Command injection possible
Check for reflected data in response

Discover API subdomains and virtual hosts that may contain different functionality.

Commands

1Subdomain fuzzing

ffuf -u https://FUZZ.api.target.com -w subdomains.txt -mc 200

2VHost fuzzing

ffuf -u https://api.target.com -H "Host: FUZZ" -w vhosts.txt -fs 12345

3Alternative subdomain approach

ffuf -u https://FUZZ.target.com -w wordlist.txt -mc 200,403

Pro Tips

Look for api-internal, dev, staging
VHost can reveal different content
Check DNS records for additional targets

Test SOAP and other XML-based APIs for vulnerabilities.

Commands

1XML field fuzzing

ffuf -u https://api.target.com/user -X POST -H "Content-Type: application/xml" -d '<user><FUZZ>value</FUZZ></user>' -w fields.txt

2SOAP envelope fuzzing

ffuf -u https://api.target.com/soap -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><soap><FUZZ></FUZZ></soap>' -w xml-tags.txt

3XML error filtering

ffuf -u https://api.target.com/api -X POST -H "Content-Type: application/xml" -d '<request><FUZZ>test</FUZZ></request>' -w fields.txt -fc 400,500

Pro Tips

SOAP APIs often haveXXE vulnerabilities
Test for XXE with external entities
Check XML parser behavior

Common flags to enhance your fuzzing commands. Master these for efficient testing.

Commands

1100 threads for faster fuzzing

-t 100

2Match specific status codes

-mc 200,201,204,301,403

3Filter response size

-fs 1234

4Filter word count

-fw 50

5Save output to JSON

-o results.json -of json

6Use Burp proxy

-x http://127.0.0.1:8080

7Verbose mode

-v

8Silent mode (no progress)

-s

9Limit requests per second

-rate 50

10Request timeout in seconds

-timeout 10

Pro Tips

Combine -mc and -fc for precision
Use -o for reporting to clients
Always use proxy for bug bounty programs

wfuzz is another powerful fuzzer with slightly different syntax. Good alternative for specific scenarios.

Commands

1Login brute force (hide Invalid)

wfuzz -c -z file,users.txt -z file,passwords.txt -d "username=FUZZ&password=FUZZ2" --hs "Invalid" https://api.target.com/login

2Parameter fuzzing

wfuzz -c -z file,parameters.txt -u "https://api.target.com/?FUZZ=1"

3Hide 404 responses

wfuzz -c -z file,wordlist.txt -u "https://api.target.com/FUZZ" --hc 404

4High cardinality mode

wfuzz -c -z file,wordlist.txt -u "https://api.target.com/api/FUZZ" -w highcard.txt

Pro Tips

wfuzz syntax differs from ffuf
Use --hc/--hs to filter responses
Good for complex filtering scenarios

Follow these best practices for effective and safe API fuzzing.

Pro Tips

Always start with small wordlists
Use proxies when testing live targets
Test on authorized bug bounty programs or labs only
Document all findings with steps to reproduce
Check rate limiting - don't get blocked
Look for information in error messages
Test all HTTP methods: GET, POST, PUT, DELETE, PATCH
Analyze response times for timing-based attacks
Check for business logic vulnerabilities
Don't forget to test headers and cookies

API Fuzzing

Table of Contents

What is API Fuzzing?

Pro Tips

Helpful Tools

Tools & Resources

Pro Tips

Step 1: Basic Parameter Fuzzing

Commands

Pro Tips

Step 2: Endpoint / Directory Discovery

Commands

Pro Tips

Step 3: POST JSON Fuzzing

Commands

Pro Tips

Step 4: Multiple Positions (Clusterbomb)

Commands

Pro Tips

Step 5: Header Fuzzing

Commands

Pro Tips

Step 6: Cookie Fuzzing

Commands

Pro Tips

Step 7: Hidden Parameter Discovery

Commands

Pro Tips

Step 8: Recursive Fuzzing

Commands

Pro Tips

Step 9: Naughty Strings (Input Validation)

Commands

Pro Tips

Step 10: Subdomain & VHost Fuzzing

Commands

Pro Tips

Step 11: XML Fuzzing

Commands

Pro Tips

Useful ffuf Flags Reference

Commands

Pro Tips

wfuzz Examples (Alternative)

Commands

Pro Tips

Best Practices & Tips

Pro Tips

Quick ffuf Flags Reference

API Fuzzing

Table of Contents

What is API Fuzzing?

Pro Tips

Helpful Tools

Tools & Resources

Pro Tips

Step 1: Basic Parameter Fuzzing

Commands

Pro Tips

Step 2: Endpoint / Directory Discovery

Commands

Pro Tips

Step 3: POST JSON Fuzzing

Commands

Pro Tips

Step 4: Multiple Positions (Clusterbomb)

Commands

Pro Tips

Step 5: Header Fuzzing

Commands

Pro Tips

Step 6: Cookie Fuzzing

Commands

Pro Tips

Step 7: Hidden Parameter Discovery

Commands

Pro Tips

Step 8: Recursive Fuzzing

Commands

Pro Tips