← 返回 Skill 列表

extension

分类: 安全与合规无需 API Key

Pentest Api Attacker

依据 OWASP API 安全 Top 10 测试 API，涵盖发现、认证滥用及协议特定检查。

Pentest API Attacker

Stage

PTES: 5
MITRE: T1190

Objective

Enumerate and test API endpoints and business logic attack vectors.

Required Workflow

Validate scope before any active action and reject out-of-scope targets.
Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
Write findings in canonical finding_schema format with reproducible PoC notes.
Honor dry-run mode and require explicit --i-have-authorization for live execution.
Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run

Outputs

api-endpoints.json
api-findings.json
api-attack-report.json

References

references/tools.md
skills/autonomous-pentester/shared/scope_schema.json
skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.