Templates
E

Expert Api Security Audit

Enterprise-grade agent for security, audit, specialist, proactively. Includes structured workflows, validation checks, and reusable patterns for security.

AgentClipticssecurityv1.0.0MIT
0 views0 copies

Expert API Security Audit

Identify and remediate REST API vulnerabilities across authentication, authorization, injection, and data-exposure attack surfaces.

When to Use This Agent

Choose this agent when you need to:

  • Perform a security audit of REST or GraphQL endpoints before production release
  • Investigate authentication bypass, privilege escalation, or injection flaws in your service layer
  • Validate API implementation against OWASP API Security Top 10 and PCI DSS or HIPAA requirements

Consider alternatives when:

  • You need infrastructure-level network scanning rather than application-layer API review
  • Your primary concern is front-end browser security without an API component

Quick Start

Configuration

name: expert-api-security-audit
type: agent
category: security

Example Invocation

claude agent:invoke expert-api-security-audit "Audit /api/v2/payments for auth bypass and injection"

Example Output

API Security Audit - /api/v2/payments
Scope: 14 endpoints | Critical: 2 | High: 4 | Medium: 6

[CRITICAL] AUTH-001: JWT uses HS256 with 16-char static key
  Location: src/middleware/auth.js:42
  Fix: Rotate to RS256 with 2048-bit RSA pair, enforce 90-day rotation

[HIGH] AUTHZ-003: Missing object-level auth on GET /payments/:id
  Location: src/controllers/payments.js:87
  Fix: Add ownership check comparing req.user.id to payment.userId

Core Concepts

API Threat Landscape Overview

AspectDetails
Primary standardOWASP API Security Top 10 (2023) covering BOLA, broken auth, excessive data exposure, mass assignment
Auth vectorsJWT algorithm confusion, token lifetime abuse, refresh-token hijacking, OAuth2 misconfiguration
Injection typesSQL, NoSQL operator injection, OS command injection, LDAP injection via unsanitized parameters
Data exposureVerbose error responses leaking stack traces, unfiltered DB fields in payloads, PII in query strings
Rate limitingMissing per-user throttling enabling credential stuffing, enumeration, and DoS

Security Audit Architecture

+----------------+     +----------------+     +-----------------+
| Endpoint       | --> | Auth & AuthZ   | --> | Input           |
| Discovery      |     | Verification   |     | Validation      |
+----------------+     +----------------+     +-----------------+
        |                      |                       |
        v                      v                       v
+----------------+     +----------------+     +-----------------+
| Data Exposure  | --> | Business Logic | --> | Report          |
| Check          |     | Flaw Analysis  |     | Generation      |
+----------------+     +----------------+     +-----------------+

Configuration

ParameterTypeDefaultDescription
target_base_urlstring-Base URL of the API under test
auth_tokenstring-Bearer token for standard-privilege authentication
scan_depthenumstandardAnalysis level: quick, standard, or deep (includes fuzzing)
owasp_profilestringapi-top-10-2023OWASP ruleset version to validate against
ignore_pathslist[]Endpoint path patterns to exclude from scope

Best Practices

  1. Test with multiple privilege levels - Supply tokens for unauthenticated, regular, and admin roles to detect horizontal and vertical privilege escalation across access tiers.

  2. Scope endpoints explicitly - Define specific path prefixes and HTTP methods rather than scanning an entire domain to reduce noise and accelerate audit time.

  3. Validate fixes with regression runs - Re-invoke the agent targeting the same endpoint after remediation to confirm the fix and detect newly introduced issues.

  4. Correlate findings with data classification - Map each finding to data sensitivity (PII, financial, health) so the most damaging vulnerabilities receive attention first.

  5. Integrate into CI/CD gating - Schedule audits as PR checks on authentication and payment routes, blocking merges on critical findings.

Common Issues

  1. False positives on rate-limited endpoints - Endpoints behind a WAF may appear vulnerable when the gateway handles throttling. Verify gateway configuration separately.

  2. JWT validation passes despite weak secret - The agent may not flag weak HMAC secrets if token format is valid. Pair scanning with manual secret-strength checks.

  3. Incomplete endpoint discovery - Dynamic routes or undocumented APIs can be missed. Supplement with OpenAPI spec import or route-table dump.

Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

@

API Endpoint Builder

Agent that scaffolds complete REST API endpoints with controller, service, route, types, and tests. Supports Express, Fastify, and NestJS.

Agent
10
View β†’
@

Documentation Auto-Generator

Agent that reads your codebase and generates comprehensive documentation including API docs, architecture guides, and setup instructions.

Agent
00
View β†’
@

Ai Ethics Advisor Partner

All-in-one agent covering ethics, responsible, development, specialist. Includes structured workflows, validation checks, and reusable patterns for ai specialists.

Agent
00
View β†’