Use Burp/ZAP to actively scan the target for common security misconfigurations, such as missing security headers (Figure 1). Validate each one as this may include many false positives.
The below example as well as the one on the JavaScript Files section are based on the crAPIarrow-up-right application.
The example below is based on PostSwigger's API Testingarrow-up-right module.
Investigate the base path of each endpoint (Figure 2 & 3).
We can use the JS Link Finderarrow-up-right Burp extension to search within the JavaScript files for patterns that suggest API endpoints (Figure 4).
Last updated 1 year ago
