Hacking APIs: Enumeration and Recon Techniques for Modern APIs

Before exploiting APIs, attackers need to understand how they work. API reconnaissance is the process of discovering endpoints, parameters, versions, and internal behaviors. This step is essential for identifying weak spots and preparing more effective attacks.

In this article, we’ll explore how attackers perform API enumeration and recon using real-world examples, open-source tools, and passive/active techniques.

Using Open Sources: Swagger, Postman & GitHub

Modern APIs often expose useful metadata. Here are common sources:

• Swagger/OpenAPI: /swagger.json, /openapi.json
• Postman collections: Public links or exported files
• GitHub leaks: .env, .http, API keys in public repos

Example:

curl https://target.com/swagger.json

GitHub Dork:

site:github.com "Authorization: Bearer" language:http

Passive Recon with httpx, gau, and subfinder

These tools collect URLs and paths from known sources.

subfinder -d target.com | httpx -silent -path /api/v1/status
gau target.com | grep '/api'