fuzzing-apis

Name: fuzzing-apis - Agent Skill
Rating: 5.0 (1046 reviews)
Author: jeremylongshore

1,046

MIT

Configure perform API fuzzing to discover edge cases, crashes, and security vulnerabilities. Use when performing specialized testing. Trigger with phrases like "fuzz the API", "run fuzzing tests", or "discover edge cases".

Download Folder View on GitHub

CLI Install

Recommended

Use the skills CLI to install this skill with one command. Auto-detects all installed AI assistants.

Method 1 - skills CLI

npx skills i jeremylongshore/claude-code-plugins-plus-skills/plugins/testing/api-fuzzer/skills/fuzzing-apis

Method 2 - openskills (supports sync & update)

npx openskills install jeremylongshore/claude-code-plugins-plus-skills

Auto-detects Claude Code, Cursor, Codex CLI, Gemini CLI, and more. One install, works everywhere.

Installation Path

Download and extract to one of the following locations:

~/.claude/skills/fuzzing-apis/

SKILL.md

assets

references

scripts

Skill Instructions

Back

Run with Cloud Agent

No setup needed. Let our cloud agents run this skill for you.

Select Provider

Select Model

Claude Sonnet 4.5

$0.20/task

Best for coding tasks

Environment setup included

API Fuzzer

Overview

Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.

Prerequisites

API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
Target API running in a test environment (never fuzz production)
Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
API authentication credentials for protected endpoints
Error logging enabled on the target server to capture crashes and stack traces

Instructions

Parse the API specification to identify all endpoints, methods, and input schemas:
- Read OpenAPI spec files using Glob (**/openapi.yaml, **/swagger.json).
- Catalog each endpoint's parameters (path, query, header, body) and their types.
- Note validation constraints (min/max, pattern, enum, required fields).
Configure the fuzzing strategy:
- Schema-based: Generate inputs that violate schema constraints (wrong types, missing fields, extra fields).
- Mutation-based: Start with valid requests and mutate individual fields (bit flips, boundary values, special characters).
- Dictionary-based: Use known problematic inputs (SQL injection, XSS payloads, format strings, null bytes).
Define fuzz input categories for each parameter type:
- Strings: Empty, very long (10K+ chars), unicode, null bytes, format strings (%s%n), path traversal (../../etc/passwd).
- Numbers: 0, -1, MAX_INT, MIN_INT, NaN, Infinity, floats where ints expected.
- Arrays: Empty, single element, thousands of elements, nested arrays, mixed types.
- Objects: Empty, missing required fields, extra unknown fields, deeply nested (100+ levels).
- Dates: Invalid formats, epoch zero, far future, negative timestamps.
Execute the fuzzing campaign:
- Run Schemathesis: schemathesis run http://localhost:3000/openapi.json --stateful=links.
- Or run RESTler: restler-fuzzer fuzz --grammar_file grammar.py.
- Or write custom fuzz tests with fast-check/Hypothesis for targeted endpoints.
- Set a time budget (30-60 minutes for initial run).
Analyze findings:
- 5xx responses: Unhandled server errors -- file as bugs.
- Crashes/hangs: Application process terminated or stopped responding.
- Resource exhaustion: Memory/CPU spike from malicious payloads.
- Information disclosure: Stack traces, internal paths, or credentials in error responses.
For each finding, create a minimal reproducer (smallest input that triggers the issue).
Write regression tests for confirmed bugs to prevent reintroduction.

Output

Fuzz campaign report with discovered issues sorted by severity
Minimal reproducer for each finding (curl command or test case)
Categorized findings: crashes, unhandled errors, security issues, validation gaps
Regression test file with one test per confirmed bug
Coverage metrics showing which endpoints and parameters were fuzzed

Error Handling

Error	Cause	Solution
Fuzzer cannot parse API spec	Invalid or incomplete OpenAPI specification	Validate the spec with `swagger-cli validate`; fix schema errors before fuzzing
All requests return 401	Authentication not configured in fuzzer	Provide auth headers via `--set-header "Authorization: Bearer TOKEN"` or config file
Server crashes during fuzzing	Unhandled exception or resource exhaustion	Restart the server with a process manager; enable crash dump collection; add OOM killer threshold
Too many false positives (500 errors)	Application returns 500 for expected validation errors	Filter known error patterns; configure the fuzzer to ignore specific response bodies
Fuzzer generates unrealistic inputs	Schema-based generation produces impossible combinations

Examples

Schemathesis OpenAPI fuzzing:

# Basic schema-based fuzzing
schemathesis run http://localhost:3000/api/openapi.json \  # 3000: 3 seconds in ms
  --stateful=links \
  --hypothesis-max-examples=500 \  # HTTP 500 Internal Server Error
  --base-url=http://localhost:3000 \  # 3 seconds in ms
  --header "Authorization: Bearer $TEST_TOKEN"
 
# With specific checks
schemathesis run http://localhost:3000/api/openapi.json \  # 3 seconds in ms

fast-check property-based API test:

import fc from 'fast-check';
import request from 'supertest';
import { app } from '../src/app';
 
test('POST /api/users handles arbitrary input without crashing', async () => {
  await fc.assert(
    fc.asyncProperty

Custom fuzz dictionary for injection testing:

[
  "' OR '1'='1",
  "<script>alert(1)</script>",
  "${7*7}",
  "{{7*7}}",
  "../../../etc/passwd",
  "\u0000",
  "A".repeat(100000)  # 100000 = configured value
]

Resources

Schemathesis: https://schemathesis.readthedocs.io/
RESTler (Microsoft): https://github.com/microsoft/restler-fuzzer
fast-check (property-based testing): https://fast-check.dev/
Hypothesis (Python): https://hypothesis.readthedocs.io/
OWASP Fuzzing: https://owasp.org/www-community/Fuzzing