Hunt API security misconfigurations
hunt-api-misconfigskillsetup L1★1,791
elementalsouls/Claude-BugHunter ↗What it does
Exploit API mass-assignment, JWT, and prototype-pollution vulnerabilities
Best for
API security testing when parameter-binding and object-serialization flaws enable escalation.
Inputs
- · API endpoint
- · profile/account/reset endpoints
- · JWT or JSON request body
Outputs
- · mass-assignment payload (is_admin:true, role:admin)
- · JWT attack vector (alg:none, key-confusion)
- · prototype-pollution __proto__ injection
Requires
- · Burp Intruder
- · curl
- · jwt-forge
Preconditions
API accepts JSON; no strict property allowlisting
Failure modes
Triggering request validation without exploitation; server-side filtering defeats payloads
Trust signals
- · 3 vulnerability classes (mass-assignment, JWT, prototype-pollution) in single skill
- · Attack payloads with specific parameter names