API Fuzzing — ffuf, kiterunner, arjun

API documentation covers the happy path. Fuzzing covers the rest — the undocumented admin routes, hidden parameters that flip behaviour, and method+body combinations a plain path fuzzer never tries. How to use ffuf, arjun and kiterunner together to systematically surface what the docs do not show, and how to chain each finding into an actual exploit.