API Reconnaissance
Passive API Reconnaissance
Google Dorking
Finds all publicly available WordPress API user directories
inurl:"/wp-json/wp/v2/users"Finds publicly available API key files.
intitle:"index.of" intext:"api.txt"Finds potentially interesting API directories.
inurl:"/api/v1" intext:"index of /"Finds all sites with a XenAPI SQL injection vulnerability.
ext:php inurl:"api.php?action="This is one of my favorite queries. It lists potentially exposed API keys.
// Some code-------------------------------------------------------------
Shodan Dorking
Using hostname will perform a basic Shodan search for your target’s domain name. This should be combined with the following queries to get results specific to your targe
APIs should have their content-type set to JSON or XML. This query will filter results that respond with JSON.
This query will filter results that respond with XML.
You can add "200 OK" to your search queries to get results that have had successful requests. However, if an API does not accept the format of Shodan’s request, it will likely issue a 300 or 400 response.
This will search for web applications using the WordPress API.
-------------------------------------------------------------
TruffleHog
TruffleHog is a great tool for automatically discovering exposed secrets. You can simply use the following Docker run to initiate a TruffleHog scan of your target's Github.
-------------------------------------------------------------
Using Wayback Machine to find old Api endpoints
Seach for .json or .xml Files
-------------------------------------------------------------
Active API Reconnaissance
Find API-Subdomain with Amass
-------------------------------------------------------------
Directory Brute-force with Gobuster
Kiterunner Discovering API endpoints and resources
Last updated