API Reconnaissance

Passive API Reconnaissance

Google Dorking

Finds all publicly available WordPress API user directories

inurl:"/wp-json/wp/v2/users"

Finds publicly available API key files.

intitle:"index.of" intext:"api.txt"

Finds potentially interesting API directories.

inurl:"/api/v1" intext:"index of /"

Finds all sites with a XenAPI SQL injection vulnerability.

ext:php inurl:"api.php?action="

This is one of my favorite queries. It lists potentially exposed API keys.

// Some code

-------------------------------------------------------------

Shodan Dorking

Using hostname will perform a basic Shodan search for your target’s domain name. This should be combined with the following queries to get results specific to your targe

hostname:"targetname.com"

APIs should have their content-type set to JSON or XML. This query will filter results that respond with JSON.

"content-type: application/json"

This query will filter results that respond with XML.

inurl:"/api/v1" intext:"index of /"

You can add "200 OK" to your search queries to get results that have had successful requests. However, if an API does not accept the format of Shodan’s request, it will likely issue a 300 or 400 response.

"200 OK"

This will search for web applications using the WordPress API.

"wp-json"

-------------------------------------------------------------

TruffleHog

TruffleHog is a great tool for automatically discovering exposed secrets. You can simply use the following Docker run to initiate a TruffleHog scan of your target's Github.

sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=target-name

-------------------------------------------------------------

Using Wayback Machine to find old Api endpoints

Seach for .json or .xml Files

https://web.archive.org/cdx/search/cdx?url=google.com/api/*&output=text&fl=original&collapse=urlkey&from=

-------------------------------------------------------------

Active API Reconnaissance

Find API-Subdomain with Amass

amass enum -active -d target-name.com |grep api

-------------------------------------------------------------

Directory Brute-force with Gobuster

gobuster dir -u target-name.com:8000 -w /home/hapihacker/api/wordlists/common_apis_160
gobuster dir -u target-name.com -w /usr/share/wordlists/api_list/common_apis_160 -x 200,202,301 -b 302

Kiterunner Discovering API endpoints and resources

kr scan HTTP://127.0.0.1 -w ~/api/wordlists/data/kiterunner/routes-large.kite
kr brute <target> -w ~/api/wordlists/data/automated/nameofwordlist.txt
PreviousApi TestingNextSetting Up Environment

Last updated