API Discovery / Reco

Google Dorking

Google Dorks

inurl:"/wp-json/wp/v2/users"
intitle:"index.of" intext:"api.txt"
inurl:"/api/v1" intext:"index of /"
ext:php inurl:"api.php?action="
intitle:"index of" api_key OR "api key" OR apiKey -pool

Git Dorking

Git Dorks

filename:swagger.json
extension: .json

Search GitHub for your target organization’s name paired with potentially sensitive types of information, such as “api key,” "api keys", "apikey", "key", "authorization: Bearer", "access_token", "secret", or “token.”

TruffleHog

TruffleHog can also be used to search for secrets in other sources like Git, Gitlab, Amazon S3, filesystem, and Syslog.

 $ sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=target-name

Wayback Machine

Finding and comparing historical snapshots of API documentation can simplify testing for Improper Assets Management.

Amass

$ amass enum -active -d target-name.com |grep api

Fuzzing

API Fuzzing ListsSquareSec - Cybersecurity Courses

payloads/api-fuzzing-lists.zip at main · 0xSs0rZ/payloadsGitHub

api-endpoints.txt: https://gist.github.com/spenkk/af31fd6c4ebeaa15cf6996826109334a

ffuf -u https://api.example.com/FUZZ -w api-endpoints.txt -t 50

GitHub - chrislockard/api_wordlist: A wordlist of API names for web application assessmentsGitHub

Documentation

Swagger/openAPI found - Check REST API part

Hacking-APIs/api_docs_path at main · hAPI-hacker/Hacking-APIsGitHub

/api
/swagger/index.html
/openapi.json

# REST API Documentation Paths

/api-docs
/docs
/swagger
/swagger-ui
/openapi
/api-explorer
/documentation
/help
/api/v1/docs
/api/docs
/api/swagger.json
/api/openapi.json
/api/swagger-ui.html
/v1/docs
/api/v2/docs
/swagger.yaml
/openapi.yaml
/api.json
/openapi.json
/api/v3/docs
/developer/api-docs
/test.yaml
/test.json
/test.pdf

# API Developer Portals

/developers
/developer
/api/developer
/developer/docs
/api/developers
/api/guide
/dev/api-docs
/developer-guide
/api/v1/reference
/reference

# GraphQL API Documentation Paths

/graphql
/api/graphql
/graphql-docs
/graphiql
/playground
/graphql-explorer
/v1/graphql
/api/v2/graphql
/graphql/schema
/graphql/docs

# Alternative API Documentation Paths

/redoc
/api/redoc
/redoc-ui
/apidocs
/api-help
/api/manual
/rest-api-docs
/developer/documentation
/explorer
/api/ui

Docs - subdomains

Hacking-APIs/docs_subdomain at main · hAPI-hacker/Hacking-APIsGitHub

# Subdomains

https://docs.example.com
https://dev.example.com/docs
https://developer.example.com/docs
https://api.example.com/docs
https://example.com/developers/documentation

API Subdomains

Hacking-APIs/Wordlists/subdomains_api at main · hAPI-hacker/Hacking-APIsGitHub

API endpoints

Hacking-APIs/Wordlists/api_superlist at main · hAPI-hacker/Hacking-APIsGitHub

SecLists/Discovery/Web-Content/common-api-endpoints-mazen160.txt at master · danielmiessler/SecListsGitHub

Bug-Bounty-Wordlists/api.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

SecLists/Discovery/Web-Content/api/api-endpoints.txt at master · danielmiessler/SecListsGitHub

Known API

https://raw.githubusercontent.com/coffinxp/payloads/refs/heads/main/api.txtraw.githubusercontent.com

Index of /data/automated/wordlists-cdn.assetnote.io

API Detector

GitHub - brinhosa/apidetector: APIDetector: Efficiently scan for exposed Swagger endpoints across web domains and subdomains. Supports HTTP/HTTPS, multi-threading, and flexible input/output options. Ideal for API security testing.GitHub

Kiterunner

GitHub - assetnote/kiterunner: Contextual Content Discovery ToolGitHub

$ kr scan HTTP://target.com -w ~/api/wordlists/data/kiterunner/routes-large.kite

# With a wordlist
$ kr brute <target> -w ~/api/wordlists/data/automated/nameofwordlist.txt

Run with authorization header

$ kr scan http://192.168.50.35:8090 -w ~/api/wordlists/data/kiterunner/routes-large.kite -H
'x-access-token: eyJhb<-SNIP->zFk'
This scan will result in identifying the following endpoints:
GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info
GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures/
GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info/
GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures

KiteRunner - Hacker Tools: Next-level API hacking 👩‍💻Intigriti

API Discovery with Kiterunner - TCM SecurityTCM Security - Penetration Testing & Consulting

GraphQL endpoint

GitHub - Escape-Technologies/graphinder: 🕸️ Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce. 🕸️GitHub

Detect the Programming Language

How to detect the programming language an API usesDana Epp's Blog

Header X-Powered-By:

• PHP/x.x.x – the API is written in PHP

• ASP.NET – the API is written in C#

• Express – this API is written in NodeJS

• Next.js – this API is written in NodeJS for use with the React framework

• PleskLin – this API was written in PHP

Other headers:

• Server – this header will occasionally contain information about the server software being used. For example, Microsoft-IIS/x.x or nginx.

• X-AspNet-Version – this header will be present if the API is written in ASP.NET and can help you determine which version is being used.

• X-AspNetMvc-Version – this header is present when an API is written in ASP.NET MVC.

• Set-Cookie – while it’s not a guarantee, some languages have distinct cookie patterns that may give away what technology is in use. For example, ASP.NET_SessionId, JSESSIONID or PHPSESSID

• X-Runtime – this header is often used in Ruby on Rails applications and can give you a good indication that the API is written in Ruby.

Generate verbose errors, stack trace

Finding hidden parameters

Fuzzing

Refer to API Endpoints and check Web Enumeration - Parameter Fuzzing (Arjun, etc.)

$ python3 /opt/Arjun/arjun.py -u http://target_address.com
$ python3 /opt/Arjun/arjun.py -i burp_targets.txt

Burp - Param Miner

Param Minerportswigger.net

Burp - Content Discovery Tool

Run it on /

Content discovery - PortSwiggerBurp_Suite

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

• Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.