REST and GraphQL API Pentest: Technical Checklist for Legal Bug Bounty

APIs became the most lucrative surface in any serious bug bounty program, and also the most ignored by pentesters still chasing XSS in contact forms. An IDOR on /api/v3/users/{id}/invoices can pay three to eight thousand dollars on HackerOne, while a reflected XSS on a marketing page closes at 250. The Basilisk OffSec team compiled in this checklist the exact flow we use in authorized engagements and public programs like GitLab, Shopify and Reddit. Before anything else: read the scope, confirm the brand domain, and never touch endpoints outside the list. Everything here assumes written authorization.

The starting point is never Burp open on your face. It is surface mapping. Grab the mobile app with apktool, extract URL strings, load them into Burp as a manual sitemap. Run ffuf with the api-endpoints-res.txt wordlist from SecLists against paths like /api/, /v1/, /internal/, /graphql, /gql, /query. Wayback Machine via gau and waybackurls surfaces deprecated endpoints nobody patched. In a recent engagement we found a /api/v1/admin/export inherited from 2019 that accepted a regular user token, similar to what we describe in Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite. Document each endpoint with method, expected content-type and required role before throwing any payload.

IDOR remains bug number one in REST APIs for a simple reason: developers trust the ID from the JWT but read the ID from the URL. Create two accounts on the target app, capture both sessions in Burp, and use the Autorize or Auth Analyzer extension to replay every request from account A with account B cookie. Watch for 200 responses with different bodies, not just status codes. UUIDs are not protection: enumerate them via search endpoints, CSV exports or notifications. Injection logic also applies in APIs, as we covered in SQL Injection in Practice: Exploiting, Detecting and Mitigating in a Controlled Lab, especially on sort, order and search filters that end up as SQL concatenation.

GraphQL changes the game. Start by probing introspection on /graphql with the query {__schema{types{name fields{name}}}}. If open in production, you already have half the report written. Tools like InQL, GraphQL Voyager and clairvoyance reconstruct schemas even with introspection disabled via field stuffing. Hunt for exposed mutations like adminUpdateUser, impersonate, exportAllData. Batch queries bypass rate limits: send 1000 login mutations in a single HTTP request. Alias overloading breaks naive validators. Unlike what we covered in Modern XSS: DOM, Stored and Reflected With Real Examples in a Test Lab, here impact is almost always logic-based, not script injection.

Authentication bypass in this context goes beyond the classic none algorithm in JWT. Test jku and kid injection, swap RS256 to HS256 using the public key as secret, and refresh tokens that never expire. Headers like X-Original-URL, X-Rewrite-URL, X-Forwarded-For and X-User-Id frequently bypass auth middleware when the API sits behind a misconfigured gateway. In GraphQL, verify the @auth directive covers every field or if some nested resolver leaks data without checks. SSRF also appears in APIs that accept URL as a parameter for webhooks or avatars, a pattern detailed in SSRF Demystified: Exploiting Cloud Metadata in a Local AWS Lab with exploits against AWS IMDS.

Rate limiting, mass assignment and business logic close the checklist. For mass assignment, add fields like isAdmin:true, role:owner, verified:true to any PATCH or PUT. Frameworks like Rails and NestJS with incomplete whitelists hand admin on a plate. For race conditions on coupon or withdrawal endpoints, use Turbo Intruder with James Kettle single packet attack, firing 30 simultaneous requests. Document impact with number of records exposed, estimated financial value and a reproducible curl PoC. Programs pay for demonstrated impact, not for technique.

Practical takeaway: build a report template with CWE title, numbered steps, raw request, truncated response and one-line fix suggestion. Submit early, before duplicates land, but never without confirming scope. Legal bug bounty is discipline before creativity, and in that discipline Basilisk builds reputation across programs like Mercado Livre and Nubank.