Skip to content
Reconnaissance

API Enumeration

Swagger discovery, parameter fuzzing, and API version enumeration

API Documentation Discovery

Swagger/OpenAPI Endpoints

BASH 
# Common Swagger paths
/swagger
/swagger-ui
/swagger-ui.html
/swagger.json
/swagger.yaml
/swagger/v1/swagger.json
/api-docs
/api-docs.json
/openapi.json
/openapi.yaml
/openapi/v3/api-docs
/docs
/redoc

# Automated discovery
ffuf -u https://target.com/FUZZ -w swagger-wordlist.txt

GraphQL Endpoints

BASH 
# Common paths
/graphql
/graphql/console
/graphiql
/playground
/v1/graphql
/api/graphql

# Introspection query
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name,fields{name}}}}"}'

Postman Collections

BASH 
# Check for exposed collections
/postman
/postman_collection.json
/.postman
/api/postman
/docs/postman

# Import and explore in Postman

API Version Discovery

Version Enumeration

BASH 
# URL path versioning
/api/v1/users
/api/v2/users
/api/v3/users
/v1/api/users
/v2/api/users

# Fuzz versions
ffuf -u https://target.com/api/vFUZZ/users -w versions.txt
# versions.txt: 1,2,3,1.0,1.1,2.0,beta,latest,dev,test

Header Versioning

BASH 
# Common version headers
Accept: application/vnd.api+json; version=1
Accept-Version: v1
X-API-Version: 2
Api-Version: 2021-01-01

# Test different versions
curl -H "Accept-Version: v1" https://target.com/api/users
curl -H "Accept-Version: v2" https://target.com/api/users

Query Parameter Versioning

BASH 
/api/users?version=1
/api/users?v=2
/api/users?api-version=2020-01-01

Deprecated Versions

BASH 
# Old versions often lack security
# Check for missing:
- Rate limiting
- Authentication
- Input validation
- Authorization checks

Parameter Discovery

Common Parameters

BASH 
# Pagination
?page=1&limit=100
?offset=0&count=50
?start=0&end=100
?per_page=1000

# Filtering
?filter=admin
?search=*
?query=
?q=

# Sorting
?sort=id
?order=desc
?orderby=created_at

# Format
?format=json
?output=xml
?callback=jsonp

# Debug/Admin
?debug=true
?test=1
?admin=1
?internal=true

Parameter Fuzzing

BASH 
# Arjun - parameter discovery
arjun -u https://target.com/api/users

# ParamSpider
python3 paramspider.py -d target.com

# x8
x8 -u https://target.com/api/users -w params.txt

# Burp Param Miner extension
# Passively discovers parameters

Hidden Parameters

BASH 
# Common hidden params
_method=PUT
_token=
csrf_token=
access_token=
api_key=
secret=
callback=
redirect=
next=
return=

Endpoint Enumeration

REST Endpoint Discovery

BASH 
# Common patterns
GET /api/users
GET /api/users/{id}
POST /api/users
PUT /api/users/{id}
DELETE /api/users/{id}
PATCH /api/users/{id}

# Fuzz endpoints
ffuf -u https://target.com/api/FUZZ -w api-endpoints.txt

# Common endpoints wordlist
users, user, account, accounts, profile, profiles
admin, administrator, management
auth, login, logout, register, signup, password, reset
config, settings, preferences
upload, download, files, documents
search, query, filter
health, status, ping, info, version

CRUD Operations Testing

BASH 
# Test all HTTP methods
for method in GET POST PUT DELETE PATCH OPTIONS HEAD; do
  curl -X $method https://target.com/api/users -v
done

# Method override
curl -X POST -H "X-HTTP-Method-Override: DELETE" https://target.com/api/users/1
curl -X POST -d "_method=PUT" https://target.com/api/users/1

Authentication Enumeration

Token Types Discovery

BASH 
# JWT in headers
Authorization: Bearer eyJ...
X-Access-Token: eyJ...
X-Auth-Token: ...

# API keys
X-API-Key: ...
Api-Key: ...
apikey: ...

# Cookies
session=...
token=...
jwt=...

Authentication Bypass

BASH 
# Test without auth
curl https://target.com/api/admin

# Test with partial auth
curl -H "Authorization: Bearer invalid" https://target.com/api/admin

# Method switching
curl -X OPTIONS https://target.com/api/admin
curl -X HEAD https://target.com/api/admin

OAuth Endpoints

BASH 
/oauth/authorize
/oauth/token
/oauth/callback
/.well-known/oauth-authorization-server
/.well-known/openid-configuration

Content-Type Manipulation

Content-Type Testing

BASH 
# Test different content types
curl -X POST https://target.com/api/users \
  -H "Content-Type: application/json" \
  -d '{"name":"test"}'

curl -X POST https://target.com/api/users \
  -H "Content-Type: application/xml" \
  -d '<user><name>test</name></user>'

curl -X POST https://target.com/api/users \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'name=test'

Content Negotiation

BASH 
# Accept header manipulation
Accept: application/json
Accept: application/xml
Accept: text/html
Accept: */*

# Test parser differences
# JSON with trailing comma
# XML with XXE payload
# Form data with array syntax

GraphQL Enumeration

Schema Introspection

BASH 
# Full schema dump
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query{__schema{types{name,fields{name,args{name}}}}}"}'

# Types only
{"query":"{__schema{types{name}}}"}

# Specific type
{"query":"{__type(name:\"User\"){fields{name,type{name}}}}"}

Tools

BASH 
# GraphQL Voyager - visual schema
# GraphQL Map
python3 graphqlmap.py -u https://target.com/graphql

# InQL Burp extension
# Clairvoyance - disabled introspection bypass
clairvoyance https://target.com/graphql -o schema.json

Rate Limit Testing

Bypass Techniques

BASH 
# IP rotation headers
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1

# Case variation
/api/users
/Api/Users
/API/USERS

# Path manipulation
/api/users/../users
/api//users
/api/./users

# Parameter pollution
/api/users?id=1&id=2

Rate Limit Detection

BASH 
# Check response headers
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
X-RateLimit-Reset: 1620000000
Retry-After: 60

Tools Summary

Essential Tools

BASH 
# API documentation
Swagger/OpenAPI parsers
GraphQL Voyager
Postman

# Parameter discovery
Arjun
ParamSpider
x8
Burp Param Miner

# Endpoint fuzzing
ffuf
wfuzz
Gobuster

# GraphQL
InQL
GraphQL Map
Clairvoyance

API Wordlists

BASH 
# SecLists
/Discovery/Web-Content/api/
/Discovery/Web-Content/swagger.txt

# Assetnote
/httparchive_apiroutes.txt

# Custom
# Build from JS analysis
# Extract from mobile apps

Bug Bounty Tips

Common API Vulns

TEXT 
1. BOLA/IDOR - Access other users' data
2. Broken authentication
3. Excessive data exposure
4. Mass assignment
5. Missing rate limiting
6. Injection (SQLi, NoSQLi)
7. Improper asset management (old API versions)

Testing Checklist

BASH 
# For each endpoint:
[ ] Test all HTTP methods
[ ] Test authentication bypass
[ ] Test IDOR with different IDs
[ ] Fuzz parameters
[ ] Check for sensitive data exposure
[ ] Test rate limiting
[ ] Test input validation
[ ] Check error messages for info leakage

Quick Workflow

BASH 
# 1. Find API docs
ffuf -u https://target.com/FUZZ -w swagger-paths.txt

# 2. Extract endpoints from docs/JS
# Use LinkFinder, JS analysis

# 3. Version enumeration
ffuf -u https://target.com/api/vFUZZ/users -w versions.txt

# 4. Parameter discovery
arjun -u https://target.com/api/users

# 5. Test each endpoint
# Manual testing with Burp/Postman
Back to Cheatsheets
On this page