API Discovery / Reco
Last updated
Last updated
Search GitHub for your target organization’s name paired with potentially sensitive types of information, such as “api key,” "api keys", "apikey", "key", "authorization: Bearer", "access_token", "secret", or “token.”
TruffleHog can also be used to search for secrets in other sources like Git, Gitlab, Amazon S3, filesystem, and Syslog.
Finding and comparing historical snapshots of API documentation can simplify testing for Improper Assets Management.
Run with authorization header
Header X-Powered-By:
PHP/x.x.x – the API is written in PHP
ASP.NET – the API is written in C#
Express – this API is written in NodeJS
Next.js – this API is written in NodeJS for use with the React framework
PleskLin – this API was written in PHP
Other headers:
Server – this header will occasionally contain information about the server software being used. For example, Microsoft-IIS/x.x or nginx.
X-AspNet-Version – this header will be present if the API is written in ASP.NET and can help you determine which version is being used.
X-AspNetMvc-Version – this header is present when an API is written in ASP.NET MVC.
Set-Cookie – while it’s not a guarantee, some languages have distinct cookie patterns that may give away what technology is in use. For example, ASP.NET_SessionId, JSESSIONID or PHPSESSID
X-Runtime – this header is often used in Ruby on Rails applications and can give you a good indication that the API is written in Ruby.
Generate verbose errors, stack trace
Run it on /
api-endpoints.txt:
Refer to and check - Parameter Fuzzing (Arjun, etc.)
A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.
