API Security API9 API8

API Reconnaissance & Discovery

Before testing, you need to discover and understand the API surface. Look for documentation, endpoints, and understand the data flow. Proper reconnaissance is crucial for identifying shadow APIs and deprecated endpoints.

Finding API Documentation

Developers often leave documentation accessible. Check common paths for Swagger/OpenAPI specs or GraphQL playgrounds.

common-paths.txt

  • /api
  • /api/v1
  • /api/docs
  • /api/swagger
  • /api/swagger.json
  • /api/swagger.yaml
  • /api/openapi.json
  • /api/openapi.yaml
  • /swagger-ui.html
  • /swagger/index.html
  • /docs
  • /redoc
  • /graphql
  • /graphiql

Fuzzing for Endpoints

Use tools like ffuf to discover hidden endpoints using wordlists.

Fuzz for API endpoints:

bash 
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/api-endpoints.txt
ffuf -u https://target.com/api/FUZZ -w /usr/share/wordlists/common-api-endpoints.txt

Specialized Discovery

Tools like Kiterunner are designed specifically for API discovery.

Kiterunner scan:

bash 
kr scan https://target.com -w routes-large.kite
kr scan https://target.com -w routes-large.kite -A=apiroutes-210228

Analyzing Documentation

If you find Swagger/OpenAPI files, analyze them to understand the API structure.

Check for exposed Swagger/OpenAPI:

bash 
curl -s https://target.com/swagger.json | jq .
curl -s https://target.com/api-docs | jq .
curl -s https://target.com/openapi.json | jq .

Source Code Analysis

JavaScript files often contain references to API endpoints. Tools like LinkFinder can extract them.

Use LinkFinder:

bash 
python3 linkfinder.py -i https://target.com/app.js -o cli

Standard Files

Don't forget to check robots.txt and sitemap.xml.

bash 
curl https://target.com/robots.txt
curl https://target.com/sitemap.xml

API Endpoint Enumeration

Once you have some endpoints, try to guess others based on common REST patterns.

Common REST API patterns:

http 
GET    /api/v1/users
GET    /api/v1/users/1
POST   /api/v1/users
PUT    /api/v1/users/1
PATCH  /api/v1/users/1
DELETE /api/v1/users/1

Version Enumeration

Check for different API versions or internal/admin paths.

  • /api/v1/users
  • /api/v2/users
  • /api/v3/users
  • /api/beta/users
  • /api/internal/users
  • /api/private/users
  • /api/admin/users

Parameter Discovery

Hidden parameters can often lead to vulnerabilities. Use tools like Arjun or ffuf.

Parameter discovery with Arjun:

bash 
arjun -u https://target.com/api/users -m GET
arjun -u https://target.com/api/users -m POST

Wordlist-based parameter fuzzing:

bash 
ffuf -u "https://target.com/api/users?FUZZ=test" -w params.txt -fs 0

HTTP Method Enumeration

Check which HTTP methods are supported on an endpoint.

bash 
for method in GET POST PUT PATCH DELETE OPTIONS HEAD TRACE; do
  echo "Testing $method"
  curl -X $method https://target.com/api/endpoint -v 2>&1 | head -20
done

Tip

Always check for different API versions. Older versions (v1, v2) may lack security controls that were added in newer versions. Also look for /internal/, /admin/, /debug/ endpoints.

Remediation

Defense Strategies

  • Maintain an up-to-date inventory of all API hosts and endpoints.
  • Disable directory listings and verbose error messages.
  • Restrict access to documentation (Swagger/OpenAPI) to internal networks or authenticated users.
  • Decommission deprecated API versions properly.
  • Implement proper access controls on all endpoints, including internal and admin routes.

Related Topics

← Back to API Pentesting

Overview of API security testing

Authentication Attacks

API authentication vulnerabilities

Authorization Flaws

BOLA and BFLA attacks

API Testing Tools

Essential tools for API testing