Module 09 — API Fuzzing & External Tool Integration¶
Icon: 
Command Line | Colour: Gray
Overview¶
Performs directory brute-forcing, HTTP method testing, content-type fuzzing (including XXE), and integrates with external security tools like Nikto and Nuclei.
How It Works¶
- HTTP method testing — sends
TRACE,DEBUG,TRACK, andCONNECTrequests to check for dangerous enabled methods. - XXE injection — sends seven content-type variations with XML External Entity payloads to detect XXE vulnerabilities.
- Directory brute-forcing — uses tools like
gobuster,dirb, orferoxbuster(if available) to discover hidden directories and files. - Nikto scan — runs a Nikto scan (5-minute timeout) to detect known web server vulnerabilities.
- Nuclei scan — runs Nuclei templates at all severity levels to detect known CVEs and misconfigurations.
Expected Findings¶
| Finding | Severity |
|---|---|
| XXE injection | Critical |
| Nuclei critical / high finding | Critical |
| Nikto RCE / backdoor | Critical |
| HTTP TRACE enabled | Medium |
| Dangerous HTTP methods enabled | Medium |
| Sensitive directories found | Medium |
Related CWEs¶
- CWE-611: XML External Entity (XXE)
- CWE-693: Protection Mechanism Failure
- CWE-749: Exposed Dangerous Method
- CWE-200: Information Exposure
Note
The availability of external tools (Nikto, Nuclei, gobuster) depends on the platform configuration. Findings from these tools are integrated directly into the scan results alongside findings from built-in modules.