Back to blog
InspectionJanuary 1, 2024ยท 6 min read

API Endpoint Discovery: Find Hidden APIs and Endpoints

A practical Fusebox guide to api endpoint discovery.

API Endpoint Discovery: Find Hidden APIs and Endpoints

Published: January 2024
Reading time: 8 minutes

Every modern website uses APIs. Most are hidden from view, but they're there - handling login, loading data, processing payments. Here's how to discover them and what they reveal about architecture, functionality, and security.

Why API Discovery Matters

For Developers

  • Integration opportunities: Build on existing APIs
  • Architecture insights: Understand data flow
  • Performance analysis: Find bottlenecks
  • Learning patterns: See best practices

For Security

  • Attack surface: What's exposed
  • Authentication methods: How they secure endpoints
  • Data exposure: What information leaks
  • Rate limiting: DoS protection

For Business Intelligence

  • Feature discovery: Hidden functionality
  • Data sources: Where data comes from
  • Third-party services: What they integrate
  • Pricing models: API usage costs

How to Find API Endpoints

1. Network Tab Discovery

// Monitor all XHR/Fetch requests
const observer = new PerformanceObserver((list) => {
  for (const entry of list.getEntries()) {
    if (entry.initiatorType === 'xmlhttprequest' || 
        entry.initiatorType === 'fetch') {
      console.log('API Call:', entry.name);
    }
  }
});
observer.observe({ entryTypes: ['resource'] });

Common patterns:

/api/v1/users
/api/v2/products
/graphql
/rest/account
/.netlify/functions/
/wp-json/wp/v2/

2. JavaScript Source Analysis

// Search for API endpoints in JS files
const scripts = Array.from(document.scripts);
scripts.forEach(script => {
  if (script.src) {
    fetch(script.src)
      .then(r => r.text())
      .then(code => {
        // Find API patterns
        const apiPatterns = code.matchAll(/['"`](\/api\/[^'"`]+)['"`]/g);
        for (const match of apiPatterns) {
          console.log('Found endpoint:', match[1]);
        }
      });
  }
});

3. Common Endpoint Locations

# REST APIs
/api/
/api/v1/
/api/v2/
/v1/
/v2/
/rest/
/services/

# GraphQL
/graphql
/gql
/query

# Functions
/.netlify/functions/
/api/functions/
/_functions/

# WordPress
/wp-json/
/wp-json/wp/v2/

# Strapi
/api/
/admin/

# Firebase
/__/firebase/
/.json

4. HTML Data Attributes

<!-- Look for data attributes -->
<div data-api-endpoint="/api/products"></div>
<form data-action="/api/submit"></form>
<button data-url="/api/user/logout"></button>

Real-World API Patterns

Example 1: E-commerce Site

Discovered endpoints:

// Product APIs
GET  /api/products
GET  /api/products/{id}
GET  /api/products/search?q=shirt
GET  /api/categories

// Cart APIs  
GET  /api/cart
POST /api/cart/add
PUT  /api/cart/update/{id}
DELETE /api/cart/remove/{id}

// Checkout
POST /api/checkout/calculate
POST /api/checkout/submit
GET  /api/shipping/rates

// User APIs
POST /api/auth/login
POST /api/auth/logout
GET  /api/user/profile
PUT  /api/user/update

What this reveals:

  • Standard REST architecture
  • Session-based cart (GET /api/cart)
  • Real-time shipping calculation
  • Traditional auth flow

Example 2: SaaS Application

Discovered endpoints:

// GraphQL endpoint
POST /graphql

// Queries found:
query GetDashboard {
  user { id name subscription }
  projects { id name status }
  analytics { visits revenue }
}

// REST fallbacks
GET  /api/export/csv
POST /api/upload/file
GET  /api/webhooks

// WebSocket
wss://app.example.com/realtime

Architecture insights:

  • GraphQL for main data
  • REST for file operations
  • WebSocket for real-time
  • Hybrid approach

Example 3: News Website

Hidden APIs found:

// Content APIs
GET /api/articles?page=1&limit=10
GET /api/articles/{slug}
GET /api/trending
GET /api/related/{id}

// Personalization
POST /api/track/view
POST /api/track/engagement
GET  /api/recommendations

// Comments
GET  /api/comments/{articleId}
POST /api/comments/add
POST /api/comments/vote

// Paywall
GET  /api/subscription/status
POST /api/paywall/check

Business model revealed:

  • Pagination strategy
  • Engagement tracking
  • Recommendation engine
  • Paywall implementation

Authentication Patterns

1. Bearer Tokens (JWT)

// Request headers
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

// Decoded JWT reveals:
{
  "user_id": 12345,
  "email": "user@example.com",
  "role": "premium",
  "exp": 1704067200
}

2. API Keys

// Various patterns
X-API-Key: abc123def456
api_key: abc123def456
apikey: abc123def456
key: abc123def456

// In URL (less secure)
/api/data?api_key=abc123def456

3. Session Cookies

// Cookie-based auth
Cookie: session_id=xyz789; 

// CSRF protection
X-CSRF-Token: token123

4. OAuth Flows

// OAuth endpoints discovered
/oauth/authorize
/oauth/token
/oauth/callback

// Token refresh pattern
POST /oauth/refresh
{
  "refresh_token": "..."
}

Rate Limiting Detection

Response Headers

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1672531200

# Alternative patterns
X-Rate-Limit-Limit: 1000
X-Rate-Limit-Remaining: 999
X-Rate-Limit-Reset: 2024-01-01T00:00:00Z

# Status code
429 Too Many Requests
Retry-After: 60

Testing Rate Limits

// Careful! Don't DoS the site
async function testRateLimit(endpoint) {
  let count = 0;
  
  while (true) {
    const response = await fetch(endpoint);
    count++;
    
    if (response.status === 429) {
      console.log(`Rate limit hit after ${count} requests`);
      console.log('Retry after:', response.headers.get('Retry-After'));
      break;
    }
    
    // Be nice - add delay
    await new Promise(r => setTimeout(r, 100));
    
    if (count > 50) {
      console.log('No rate limit found in 50 requests');
      break;
    }
  }
}

API Security Issues

1. Exposed Internal APIs

// Bad: Internal API exposed
/internal/api/admin/users
/debug/api/stats
/admin/api/config

// These should be:
- Behind authentication
- On internal network only
- Not accessible from browser

2. Information Disclosure

// API returns too much data
GET /api/user/123

Response:
{
  "id": 123,
  "email": "user@example.com",
  "password_hash": "...",  // Should NEVER return
  "credit_card": "...",     // PII exposure
  "internal_notes": "...",  // Internal data
  "api_keys": [...]         // Security risk
}

3. Missing Authentication

// Endpoints that should require auth but don't
GET /api/users/all        // User list exposed
GET /api/orders/export    // Data export
POST /api/admin/action    // Admin functions

4. Predictable IDs

// Sequential IDs enable enumeration
/api/invoice/1001
/api/invoice/1002
/api/invoice/1003

// Better: UUIDs
/api/invoice/550e8400-e29b-41d4-a716-446655440000

Advanced Discovery Techniques

1. Source Map Mining

// If source maps are exposed
fetch('/app.js.map')
  .then(r => r.json())
  .then(sourceMap => {
    // Parse sources for API routes
    sourceMap.sources.forEach(source => {
      if (source.includes('api') || source.includes('service')) {
        console.log('Potential API code:', source);
      }
    });
  });

2. GraphQL Introspection

// Query GraphQL schema
const introspectionQuery = {
  query: `
    {
      __schema {
        types {
          name
          fields {
            name
            type { name }
          }
        }
      }
    }
  `
};

fetch('/graphql', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify(introspectionQuery)
}).then(r => r.json()).then(console.log);

3. Error Message Mining

// Trigger errors to reveal paths
fetch('/api/undefined')
  .then(r => r.text())
  .then(error => {
    // Error might reveal:
    // "Cannot GET /api/undefined. Valid endpoints: /api/users, /api/posts"
    console.log(error);
  });

4. Sitemap and Robots

// Check common files
const files = [
  '/sitemap.xml',
  '/robots.txt',
  '/.well-known/security.txt',
  '/api-docs',
  '/swagger.json',
  '/openapi.json'
];

files.forEach(file => {
  fetch(file).then(r => {
    if (r.ok) console.log(`Found: ${file}`);
  });
});

API Documentation Discovery

Common Documentation URLs

/docs
/api-docs
/swagger
/swagger-ui
/redoc
/graphiql
/playground
/api/docs
/developers
/api-reference

OpenAPI/Swagger

// If Swagger is exposed
fetch('/swagger.json')
  .then(r => r.json())
  .then(spec => {
    console.log('API Title:', spec.info.title);
    console.log('Version:', spec.info.version);
    console.log('Endpoints:', Object.keys(spec.paths));
  });

Quick API Discovery Script

// Paste in console for quick discovery
(function discoverAPIs() {
  const apis = new Set();
  
  // Monitor fetch/XHR
  const originalFetch = window.fetch;
  window.fetch = function(...args) {
    apis.add(args[0]);
    return originalFetch.apply(this, args);
  };
  
  const originalOpen = XMLHttpRequest.prototype.open;
  XMLHttpRequest.prototype.open = function(method, url) {
    apis.add(url);
    return originalOpen.apply(this, arguments);
  };
  
  // Check performance entries
  performance.getEntriesByType('resource').forEach(entry => {
    if (entry.name.includes('/api/') || 
        entry.name.includes('graphql') ||
        entry.initiatorType === 'fetch') {
      apis.add(entry.name);
    }
  });
  
  // Display results
  console.log('๐Ÿ” Discovered APIs:');
  Array.from(apis).sort().forEach(api => {
    if (api.includes('http')) {
      const url = new URL(api);
      console.log(`  ${url.pathname}`);
    }
  });
  
  console.log('\n๐Ÿ’ก Tip: Interact with the site to discover more endpoints!');
})();

What to Do with Discoveries

For Development

  1. Document findings for team reference
  2. Test integrations with discovered APIs
  3. Learn patterns from well-designed APIs
  4. Identify opportunities for optimization

For Security

  1. Report vulnerabilities responsibly
  2. Check your own apps for similar issues
  3. Implement protections learned from others
  4. Audit regularly for exposed endpoints

For Analysis

  1. Map functionality to understand features
  2. Trace data flow through the application
  3. Identify dependencies on third parties
  4. Estimate complexity of the system

The Bottom Line

API discovery reveals:

  • Architecture decisions
  • Security posture
  • Hidden features
  • Integration points

Every API tells a story about how the application works. Learn to read them.


Discover APIs instantly: Fusebox automatically detects and lists all API endpoints while you browse. See requests, responses, and authentication methods. $29 one-time purchase.