Skip to content
Reconnaissance

API Enumeration

API discovery, documentation, and endpoint mapping

API Discovery

Common Paths

TEXT 
/api
/api/v1
/api/v2
/v1
/v2
/rest
/graphql
/swagger
/openapi
/docs
/api-docs
/swagger.json
/openapi.json
/api/swagger
/api/docs

Fuzzing for APIs

BASH 
ffuf -u https://target.com/FUZZ -w api_wordlist.txt -mc 200,301,302,401,403
ffuf -u https://target.com/api/FUZZ -w wordlist.txt

API Documentation

Swagger/OpenAPI

BASH 
# Common locations
/swagger.json
/swagger/v1/swagger.json
/api-docs
/openapi.json
/v2/api-docs
/v3/api-docs

# Parse and test
swagger-cli validate swagger.json

GraphQL Introspection

BASH 
# Check introspection
curl -X POST -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name}}}"}' \
  https://target.com/graphql

WSDL (SOAP)

BASH 
# Common locations  
?wsdl
/service?wsdl
/ws?wsdl

Parameter Discovery

Arjun

BASH 
# Find hidden parameters
arjun -u https://target.com/api/endpoint

# With custom wordlist
arjun -u https://target.com/api/user -w params.txt

# JSON mode
arjun -u https://target.com/api/data -m JSON

x8

BASH 
x8 -u "https://target.com/api/user" -w params.txt

Param Miner (Burp)

TEXT 
1. Right-click request
2. Extensions → Param Miner → Guess params
3. Check for hidden inputs

HTTP Method Testing

BASH 
# Test all methods
curl -X OPTIONS https://target.com/api/resource -i
curl -X PUT https://target.com/api/resource -d '{"test":1}'
curl -X DELETE https://target.com/api/resource/1
curl -X PATCH https://target.com/api/resource/1 -d '{"id":2}'

Methods to Test

TEXT 
GET, POST, PUT, DELETE, PATCH
OPTIONS, HEAD, TRACE, CONNECT

Version Discovery

URL Versioning

TEXT 
/api/v1/users
/api/v2/users
/api/v3/users
/api/beta/users
/api/internal/users

Header Versioning

BASH 
curl -H "Accept-Version: v1" https://target.com/api/users
curl -H "X-API-Version: 2" https://target.com/api/users
curl -H "Api-Version: 2020-01-01" https://target.com/api/users

Endpoint Mapping

From JS Files

BASH 
# Extract endpoints from JavaScript
grep -rohE '["'"'"'](/api/[a-zA-Z0-9_/\-]+)["'"'"']' *.js | sort -u

From Mobile Apps

BASH 
# Decompile APK
apktool d app.apk
grep -r "api" app/smali/
strings app/lib/*.so | grep -i api

From Traffic

BASH 
# mitmproxy
mitmproxy --mode regular -p 8080
# Browse app, export flows

Authentication Testing

Common Auth Headers

BASH 
Authorization: Bearer <token>
X-API-Key: <key>
X-Auth-Token: <token>
Cookie: session=<value>

Bypass Attempts

BASH 
# Remove auth header
# Try empty token
# Use expired token
# Try null values
Authorization: Bearer null
Authorization: Bearer undefined
X-API-Key:

Kiterunner (API Fuzzer)

BASH 
# Scan with common API routes
kr scan https://target.com -w routes-large.kite

# With custom wordlist
kr scan https://target.com -w wordlist.txt

# Specific methods
kr scan https://target.com -w routes.kite -X GET,POST
Back to Cheatsheets
On this page