hunt-api-misconfig
Identifies and exploits API security misconfigurations, including mass assignment and JWT vulnerabilities, enhancing security assessments.
Install this skill
or
56/100
Security score
The hunt-api-misconfig skill was audited on Jun 6, 2026 and we found 12 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
medium line 178
Node child_process module reference
SourceSKILL.md
| 178 | - **`hunt-rce`** — Prototype pollution gadgets in Node.js dependencies (lodash, mongoose, jQuery) reach `child_process.spawn`. Chain primitive: Prototype pollution (`__proto__.shell=true`) + `hunt-rce |
medium line 39
Curl to non-GitHub URL
SourceSKILL.md
| 39 | curl -s -I -H "Origin: https://evil.com" https://target.com/api/user/me |
critical line 95
Access to /etc/passwd
SourceSKILL.md
| 95 | Only triggers when the OData layer string-concatenates into SQL instead of using LINQ. Documented in [OData/WebApi Issue #2352](https://github.com/OData/WebApi/issues/2352). The XML-deserialisation va |
low line 39
External URL reference
SourceSKILL.md
| 39 | curl -s -I -H "Origin: https://evil.com" https://target.com/api/user/me |
low line 40
External URL reference
SourceSKILL.md
| 40 | # If: Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true |
low line 57
External URL reference
SourceSKILL.md
| 57 | Iterate prefix character-by-character; cardinality of the response (or `@odata.count`) is the boolean oracle that confirms the prefix is correct. No SQLi engine needed, no `'`/`--` characters — the WA |
low line 77
External URL reference
SourceSKILL.md
| 77 | WAFs that scan only the outer request body (or that don't natively parse `multipart/mixed`) skip every inner operation. ModSecurity refused `multipart/mixed` historically ([Issue #3296](https://github |
low line 87
External URL reference
SourceSKILL.md
| 87 | Mixed-case operators (`Eq`, `EQ`) and obscure ones (`substringof`, `tolower`, `concat`, `replace`) look unlike `SELECT`/`UNION` so SQLi-keyword signatures never fire. WAFs that key on the literal stri |
low line 103
External URL reference
SourceSKILL.md
| 103 | Authorisation decorators applied to top-level entity sets; the engine joins along navigation properties without re-checking ACL on the joined entity. Same root cause as the 2021 PowerApps Portals 38M- |
low line 152
External URL reference
SourceSKILL.md
| 152 | **D. Swagger UI configUrl takeover.** Swagger UI loads its config from `?configUrl=`. If unsanitised, attacker hosts an evil OpenAPI spec, sends victim a link to the *legitimate* Swagger UI with `?con |
low line 157
External URL reference
SourceSKILL.md
| 157 | - **Swagger UI DOM XSS (3.14.1 → 3.38.0)** — outdated bundled DOMPurify + remote-spec-load → arbitrary JS in victim browser ([Vidoc Security Lab writeup](https://blog.vidocsecurity.com/blog/hacking-sw |
low line 161
External URL reference
SourceSKILL.md
| 161 | - **CloudSEK threat-intel (2024)** — actors abuse exposed `swagger-ui` to invoke a verified-business WhatsApp send-message endpoint, impersonating the company to its customers. 6,000+ exposed Swagger |
Scanned on Jun 6, 2026
View Security DashboardGitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
frontendstripedocxgitapidatabasetestingbackendsecurity-engineerbackend-developerdata-analystdevelopmentdata analytics
elementalsouls/Claude-BugHunter