Claude-code-plugins fuzzing-apis
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/testing/api-fuzzer/skills/fuzzing-apis" ~/.claude/skills/jeremylongshore-claude-code-plugins-fuzzing-apis-e6d507 && rm -rf "$T"
manifest:
plugins/testing/api-fuzzer/skills/fuzzing-apis/SKILL.mdsource content
API Fuzzer
Overview
Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.
Prerequisites
- API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
- Target API running in a test environment (never fuzz production)
- Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
- API authentication credentials for protected endpoints
- Error logging enabled on the target server to capture crashes and stack traces
Instructions
- Parse the API specification to identify all endpoints, methods, and input schemas:
- Read OpenAPI spec files using Glob (
,**/openapi.yaml
).**/swagger.json - Catalog each endpoint's parameters (path, query, header, body) and their types.
- Note validation constraints (min/max, pattern, enum, required fields).
- Read OpenAPI spec files using Glob (
- Configure the fuzzing strategy:
- Schema-based: Generate inputs that violate schema constraints (wrong types, missing fields, extra fields).
- Mutation-based: Start with valid requests and mutate individual fields (bit flips, boundary values, special characters).
- Dictionary-based: Use known problematic inputs (SQL injection, XSS payloads, format strings, null bytes).
- Define fuzz input categories for each parameter type:
- Strings: Empty, very long (10K+ chars), unicode, null bytes, format strings (
), path traversal (%s%n
).../../etc/passwd - Numbers: 0, -1, MAX_INT, MIN_INT, NaN, Infinity, floats where ints expected.
- Arrays: Empty, single element, thousands of elements, nested arrays, mixed types.
- Objects: Empty, missing required fields, extra unknown fields, deeply nested (100+ levels).
- Dates: Invalid formats, epoch zero, far future, negative timestamps.
- Strings: Empty, very long (10K+ chars), unicode, null bytes, format strings (
- Execute the fuzzing campaign:
- Run Schemathesis:
.schemathesis run http://localhost:3000/openapi.json --stateful=links - Or run RESTler:
.restler-fuzzer fuzz --grammar_file grammar.py - Or write custom fuzz tests with fast-check/Hypothesis for targeted endpoints.
- Set a time budget (30-60 minutes for initial run).
- Run Schemathesis:
- Analyze findings:
- 5xx responses: Unhandled server errors -- file as bugs.
- Crashes/hangs: Application process terminated or stopped responding.
- Resource exhaustion: Memory/CPU spike from malicious payloads.
- Information disclosure: Stack traces, internal paths, or credentials in error responses.
- For each finding, create a minimal reproducer (smallest input that triggers the issue).
- Write regression tests for confirmed bugs to prevent reintroduction.
Output
- Fuzz campaign report with discovered issues sorted by severity
- Minimal reproducer for each finding (curl command or test case)
- Categorized findings: crashes, unhandled errors, security issues, validation gaps
- Regression test file with one test per confirmed bug
- Coverage metrics showing which endpoints and parameters were fuzzed
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Fuzzer cannot parse API spec | Invalid or incomplete OpenAPI specification | Validate the spec with |
| All requests return 401 | Authentication not configured in fuzzer | Provide auth headers via |
| Server crashes during fuzzing | Unhandled exception or resource exhaustion | Restart the server with a process manager; enable crash dump collection; add OOM killer threshold |
| Too many false positives (500 errors) | Application returns 500 for expected validation errors | Filter known error patterns; configure the fuzzer to ignore specific response bodies |
| Fuzzer generates unrealistic inputs | Schema-based generation produces impossible combinations | Add |
Examples
Schemathesis OpenAPI fuzzing:
# Basic schema-based fuzzing schemathesis run http://localhost:3000/api/openapi.json \ # 3000: 3 seconds in ms --stateful=links \ --hypothesis-max-examples=500 \ # HTTP 500 Internal Server Error --base-url=http://localhost:3000 \ # 3 seconds in ms --header "Authorization: Bearer $TEST_TOKEN" # With specific checks schemathesis run http://localhost:3000/api/openapi.json \ # 3 seconds in ms --checks all \ --validate-schema=true
fast-check property-based API test:
import fc from 'fast-check'; import request from 'supertest'; import { app } from '../src/app'; test('POST /api/users handles arbitrary input without crashing', async () => { await fc.assert( fc.asyncProperty( fc.record({ name: fc.string(), email: fc.string(), age: fc.oneof(fc.integer(), fc.string(), fc.constant(null)), }), async (body) => { const res = await request(app).post('/api/users').send(body); expect(res.status).toBeLessThan(500); // No server errors # HTTP 500 Internal Server Error } ), { numRuns: 200 } # HTTP 200 OK ); });
Custom fuzz dictionary for injection testing:
[ "' OR '1'='1", "<script>alert(1)</script>", "${7*7}", "{{7*7}}", "../../../etc/passwd", "\u0000", "A".repeat(100000) # 100000 = configured value ]
Resources
- Schemathesis: https://schemathesis.readthedocs.io/
- RESTler (Microsoft): https://github.com/microsoft/restler-fuzzer
- fast-check (property-based testing): https://fast-check.dev/
- Hypothesis (Python): https://hypothesis.readthedocs.io/
- OWASP Fuzzing: https://owasp.org/www-community/Fuzzing