# API Discovery / Reco [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Google Dorking {% content-ref url="/pages/yJvJ17kdWiGpCtDCxAZF" %} [Google Dorks](/0xss0rz/pentest/recon/google-dorks.md) {% endcontent-ref %} ``` inurl:"/wp-json/wp/v2/users" intitle:"index.of" intext:"api.txt" inurl:"/api/v1" intext:"index of /" ext:php inurl:"api.php?action=" intitle:"index of" api_key OR "api key" OR apiKey -pool ``` ## Git Dorking {% content-ref url="/pages/95nUQeqLUcsKohhdLBbX" %} [Git Dorks](/0xss0rz/pentest/recon/git-dorks.md) {% endcontent-ref %} ``` filename:swagger.json extension: .json ``` Search GitHub for your target organization’s name paired with potentially sensitive types of information, such as “api key,” "api keys", "apikey", "key", "authorization: Bearer", "access\_token", "secret", or “token.” ### TruffleHog {% hint style="success" %} *TruffleHog can also be used to search for secrets in other sources like Git, Gitlab, Amazon S3, filesystem, and Syslog.* {% endhint %} ``` $ sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=target-name ``` ## Wayback Machine Finding and comparing historical snapshots of API documentation can simplify testing for Improper Assets Management. ## Amass ``` $ amass enum -active -d target-name.com |grep api ``` ## Fuzzing {% embed url="" %} {% embed url="" %} api-endpoints.txt: ``` ffuf -u https://api.example.com/FUZZ -w api-endpoints.txt -t 50 ``` {% embed url="" %} ### Documentation {% hint style="success" %} *Swagger/openAPI found - Check* [*REST API*](/0xss0rz/pentest/api/rest-api.md) *part* {% endhint %} {% embed url="" %}

/api
/swagger/index.html
/openapi.json

# REST API Documentation Paths

/api-docs
/docs
/swagger
/swagger-ui
/openapi
/api-explorer
/documentation
/help
/api/v1/docs
/api/docs
/api/swagger.json
/api/openapi.json
/api/swagger-ui.html
/v1/docs
/api/v2/docs
/swagger.yaml
/openapi.yaml
/api.json
/openapi.json
/api/v3/docs
/developer/api-docs
/test.yaml
/test.json
/test.pdf

# API Developer Portals

/developers
/developer
/api/developer
/developer/docs
/api/developers
/api/guide
/dev/api-docs
/developer-guide
/api/v1/reference
/reference

# GraphQL API Documentation Paths

/graphql
/api/graphql
/graphql-docs
/graphiql
/playground
/graphql-explorer
/v1/graphql
/api/v2/graphql
/graphql/schema
/graphql/docs

# Alternative API Documentation Paths

/redoc
/api/redoc
/redoc-ui
/apidocs
/api-help
/api/manual
/rest-api-docs
/developer/documentation
/explorer
/api/ui

### Docs - subdomains {% embed url="" %} ``` # Subdomains https://docs.example.com https://dev.example.com/docs https://developer.example.com/docs https://api.example.com/docs https://example.com/developers/documentation ``` ### API Subdomains {% embed url="" %} ### API endpoints {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Known API {% embed url="" %} {% embed url="" %} ### API Detector {% embed url="" %} ### Kiterunner {% embed url="" %} ``` $ kr scan HTTP://target.com -w ~/api/wordlists/data/kiterunner/routes-large.kite # With a wordlist $ kr brute -w ~/api/wordlists/data/automated/nameofwordlist.txt ``` Run with authorization header ``` $ kr scan http://192.168.50.35:8090 -w ~/api/wordlists/data/kiterunner/routes-large.kite -H 'x-access-token: eyJhb<-SNIP->zFk' This scan will result in identifying the following endpoints: GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures/ GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info/ GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures ``` {% embed url="" %} {% embed url="" %} ### GraphQL endpoint {% embed url="" %} ## Detect the Programming Language {% embed url="" %} Header X-Powered-By: * PHP/x.x.x – the API is written in PHP * ASP.NET – the API is written in C# * Express – this API is written in NodeJS * Next.js – this API is written in NodeJS for use with the React framework * PleskLin – this API was written in PHP Other headers: * **Server** – this header will occasionally contain information about the server software being used. For example, Microsoft-IIS/x.x or nginx. * **X-AspNet-Version** – this header will be present if the API is written in ASP.NET and can help you determine which version is being used. * **X-AspNetMvc-Version** – this header is present when an API is written in ASP.NET MVC. * **Set-Cookie** – while it’s not a guarantee, some languages have distinct cookie patterns that may give away what technology is in use. For example, ASP.NET\_SessionId, JSESSIONID or PHPSESSID * **X-Runtime** – this header is often used in Ruby on Rails applications and can give you a good indication that the API is written in Ruby. Generate verbose errors, stack trace ## Finding hidden parameters ### Fuzzing Refer to [API Endpoints](#api-endpoints) and check [Web Enumeration](/0xss0rz/pentest/web-attacks/web-enumeration.md) - Parameter Fuzzing (Arjun, etc.) ``` $ python3 /opt/Arjun/arjun.py -u http://target_address.com $ python3 /opt/Arjun/arjun.py -i burp_targets.txt ``` ### Burp - Param Miner {% embed url="" %} ### Burp - Content Discovery Tool {% hint style="success" %} *Run it on /* {% endhint %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\ A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. * [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\ This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/api/api-discovery-reco.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.