Recon

API Types

Type	Goal	Documentation
Public	Serve public data	Easy to find User-friendly
Partner	To be used exclusively by partners	Harder to find Less user-friendly
Private	To be used internally	Hardest to find Minimal documentation (if any)

API Indicators

Within the URL.

https://target-name.com/api/v1 
https://api.target-name.com/v1 
https://target-name.com/docs
https://dev.target-name.com/rest

In directory names.

/api
/api/v1
/v1
/rest
/swagger
/swagger.json
/doc
/graphql
/graphiql
/altair
/playground

Subdomains.

api.target-name.com
uat.target-name.com
dev.target-name.com
developer.target-name.com
test.target-name.com

HTTP headers.

Content-Type: application/json, application/xml

Passive Recon

Google Dorking

Most useful for Public APIs.

Query	Expected results
inurl:"/wp-json/wp/v2/users"	Finds all publicly available WordPress API user directories.
intitle:"index.of" intext:"api.txt"	Finds publicly available API key files.
inurl:"/api/v1" intext:"index of /"	Finds potentially interesting API directories.
ext:php inurl:"api.php?action="	Finds all sites with a XenAPI SQL injection vulnerability. (This query was posted in 2016; four years later, there are currently 141,000 results.)
intitle:"index of" api_key OR "api key" OR apiKey -pool	This is one of my favorite queries. It lists potentially exposed API keys.

Git Dorking

Might reveals authentication information, such as API keys, JWTs, etc. ( check for issues).

api key exposed
extension:json <org>
shodan_api_key # if we know how the key we are searching for is named
"authorization: Bearer" # one of the most common headers
filename:swagger.json

This can be automated with trufflehog.

trufflehog git https://github.com/trufflesecurity/test_keys --only-verified

Shodan

Query	Purpose
hostname:"targetname.com"	Using hostname will perform a basic Shodan search for your target’s domain name. This should be combined with the following queries to get results specific to your target.
"content-type: application/json"	APIs should have their content-type set to JSON or XML. This query will filter results that respond with JSON.
"content-type: application/xml"	This query will filter results that respond with XML.
"200 OK"	You can add "200 OK" to your search queries to get results that have had successful requests. However, if an API does not accept the format of Shodan’s request, it will likely issue a 300 or 400 response.
"wp-json"	This will search for web applications using the WordPress API.

Wayback Machine

Input an already found API and search for endpoints that used to exist.

Active Recon

Port Scan

nmap-scan.sh can be found here.

nmap-scan.sh 127.0.0.1
Creating directory...
Performing initial scan...
Extracting ports...
Performing an aggresive scan on open ports...
All done! See results: less scans/aggressive_scan.nmap

Port-scanning with nmap.

API search

Active scanning for APIs.

# Enumerating microsoft APIs
amass enum -active -d microsoft.com | grep api

Directory scanning with a "general" tool (use an API-specific wordlist).

ffuf -u http://127.0.0.1:8888/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac -c -ic -recursion

Directory busting with ffuf.

Dev Tools

Enumerating API calls with developer tools.

The curl command can be copied and pasted directly into Postman.

Copying the curl command.

Pasting the curl command into postman.

Postman auto-formats the curl command appropriately.