API Discovery / Reco

Google Dorking

Google Dorks
inurl:"/wp-json/wp/v2/users"
intitle:"index.of" intext:"api.txt"
inurl:"/api/v1" intext:"index of /"
ext:php inurl:"api.php?action="
intitle:"index of" api_key OR "api key" OR apiKey -pool

Git Dorking

Git Dorks
filename:swagger.json
extension: .json

Search GitHub for your target organization’s name paired with potentially sensitive types of information, such as “api key,” "api keys", "apikey", "key", "authorization: Bearer", "access_token", "secret", or “token.”

TruffleHog

TruffleHog can also be used to search for secrets in other sources like Git, Gitlab, Amazon S3, filesystem, and Syslog.

 $ sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=target-name

Wayback Machine

Finding and comparing historical snapshots of API documentation can simplify testing for Improper Assets Management.

Amass

$ amass enum -active -d target-name.com |grep api

Fuzzing

LogoAPI Fuzzing ListsSquareSec - Cybersecurity Courses
Logopayloads/api-fuzzing-lists.zip at main · 0xSs0rZ/payloadsGitHub

api-endpoints.txt: https://gist.github.com/spenkk/af31fd6c4ebeaa15cf6996826109334a

ffuf -u https://api.example.com/FUZZ -w api-endpoints.txt -t 50
LogoGitHub - chrislockard/api_wordlist: A wordlist of API names for web application assessmentsGitHub

Documentation

LogoHacking-APIs/api_docs_path at main · hAPI-hacker/Hacking-APIsGitHub
/api
/swagger/index.html
/openapi.json

# REST API Documentation Paths

/api-docs
/docs
/swagger
/swagger-ui
/openapi
/api-explorer
/documentation
/help
/api/v1/docs
/api/docs
/api/swagger.json
/api/openapi.json
/api/swagger-ui.html
/v1/docs
/api/v2/docs
/swagger.yaml
/openapi.yaml
/api.json
/openapi.json
/api/v3/docs
/developer/api-docs
/test.yaml
/test.json
/test.pdf

# API Developer Portals

/developers
/developer
/api/developer
/developer/docs
/api/developers
/api/guide
/dev/api-docs
/developer-guide
/api/v1/reference
/reference

# GraphQL API Documentation Paths

/graphql
/api/graphql
/graphql-docs
/graphiql
/playground
/graphql-explorer
/v1/graphql
/api/v2/graphql
/graphql/schema
/graphql/docs

# Alternative API Documentation Paths

/redoc
/api/redoc
/redoc-ui
/apidocs
/api-help
/api/manual
/rest-api-docs
/developer/documentation
/explorer
/api/ui

Docs - subdomains

LogoHacking-APIs/docs_subdomain at main · hAPI-hacker/Hacking-APIsGitHub
# Subdomains

https://docs.example.com
https://dev.example.com/docs
https://developer.example.com/docs
https://api.example.com/docs
https://example.com/developers/documentation

API Subdomains

LogoHacking-APIs/Wordlists/subdomains_api at main · hAPI-hacker/Hacking-APIsGitHub

API endpoints

LogoHacking-APIs/Wordlists/api_superlist at main · hAPI-hacker/Hacking-APIsGitHub
LogoSecLists/common-api-endpoints-mazen160.txt at master · danielmiessler/SecListsGitHub
LogoBug-Bounty-Wordlists/api.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub
LogoSecLists/api-endpoints.txt at master · danielmiessler/SecListsGitHub

Known API

https://raw.githubusercontent.com/coffinxp/payloads/refs/heads/main/api.txt
Index of /data/automated/

API Detector

LogoGitHub - brinhosa/apidetector: APIDetector: Efficiently scan for exposed Swagger endpoints across web domains and subdomains. Supports HTTP/HTTPS, multi-threading, and flexible input/output options. Ideal for API security testing.GitHub

Kiterunner

LogoGitHub - assetnote/kiterunner: Contextual Content Discovery ToolGitHub
$ kr scan HTTP://target.com -w ~/api/wordlists/data/kiterunner/routes-large.kite

# With a wordlist
$ kr brute <target> -w ~/api/wordlists/data/automated/nameofwordlist.txt

Run with authorization header

$ kr scan http://192.168.50.35:8090 -w ~/api/wordlists/data/kiterunner/routes-large.kite -H
'x-access-token: eyJhb<-SNIP->zFk'
This scan will result in identifying the following endpoints:
GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info
GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures/
GET 200 [ 217, 1, 1] http://192.168.50.35:8090/api/user/info/
GET 200 [ 101471, 1871, 1] http://192.168.50.35:8090/api/pictures
LogoKiteRunner - Hacker Tools: Next-level API hacking 👩‍💻Intigriti
LogoAPI Discovery with Kiterunner - TCM SecurityTCM Security - Penetration Testing & Consulting

GraphQL endpoint

LogoGitHub - Escape-Technologies/graphinder: 🕸️ Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce. 🕸️GitHub

Detect the Programming Language

LogoHow to detect the programming language an API usesDana Epp's Blog

Header X-Powered-By:

  • PHP/x.x.x – the API is written in PHP

  • ASP.NET – the API is written in C#

  • Express – this API is written in NodeJS

  • Next.js – this API is written in NodeJS for use with the React framework

  • PleskLin – this API was written in PHP

Other headers:

  • Server – this header will occasionally contain information about the server software being used. For example, Microsoft-IIS/x.x or nginx.

  • X-AspNet-Version – this header will be present if the API is written in ASP.NET and can help you determine which version is being used.

  • X-AspNetMvc-Version – this header is present when an API is written in ASP.NET MVC.

  • Set-Cookie – while it’s not a guarantee, some languages have distinct cookie patterns that may give away what technology is in use. For example, ASP.NET_SessionId, JSESSIONID or PHPSESSID

  • X-Runtime – this header is often used in Ruby on Rails applications and can give you a good indication that the API is written in Ruby.

Generate verbose errors, stack trace

Finding hidden parameters

Fuzzing

Refer to API Endpoints and check Web Enumeration - Parameter Fuzzing (Arjun, etc.)

$ python3 /opt/Arjun/arjun.py -u http://target_address.com
$ python3 /opt/Arjun/arjun.py -i burp_targets.txt

Burp - Param Miner

LogoParam Miner

Burp - Content Discovery Tool

Run it on /

LogoContent discoveryBurp_Suite

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousChecklistNextSensitive Data (API Key, JWT token, etc.) Exposed

Last updated