InspectionJanuary 1, 2024ยท 6 min read
API Endpoint Discovery: Find Hidden APIs and Endpoints
A practical Fusebox guide to api endpoint discovery.
API Endpoint Discovery: Find Hidden APIs and Endpoints
Published: January 2024
Reading time: 8 minutes
Every modern website uses APIs. Most are hidden from view, but they're there - handling login, loading data, processing payments. Here's how to discover them and what they reveal about architecture, functionality, and security.
Why API Discovery Matters
For Developers
- Integration opportunities: Build on existing APIs
- Architecture insights: Understand data flow
- Performance analysis: Find bottlenecks
- Learning patterns: See best practices
For Security
- Attack surface: What's exposed
- Authentication methods: How they secure endpoints
- Data exposure: What information leaks
- Rate limiting: DoS protection
For Business Intelligence
- Feature discovery: Hidden functionality
- Data sources: Where data comes from
- Third-party services: What they integrate
- Pricing models: API usage costs
How to Find API Endpoints
1. Network Tab Discovery
// Monitor all XHR/Fetch requests
const observer = new PerformanceObserver((list) => {
for (const entry of list.getEntries()) {
if (entry.initiatorType === 'xmlhttprequest' ||
entry.initiatorType === 'fetch') {
console.log('API Call:', entry.name);
}
}
});
observer.observe({ entryTypes: ['resource'] });
Common patterns:
/api/v1/users
/api/v2/products
/graphql
/rest/account
/.netlify/functions/
/wp-json/wp/v2/
2. JavaScript Source Analysis
// Search for API endpoints in JS files
const scripts = Array.from(document.scripts);
scripts.forEach(script => {
if (script.src) {
fetch(script.src)
.then(r => r.text())
.then(code => {
// Find API patterns
const apiPatterns = code.matchAll(/['"`](\/api\/[^'"`]+)['"`]/g);
for (const match of apiPatterns) {
console.log('Found endpoint:', match[1]);
}
});
}
});
3. Common Endpoint Locations
# REST APIs
/api/
/api/v1/
/api/v2/
/v1/
/v2/
/rest/
/services/
# GraphQL
/graphql
/gql
/query
# Functions
/.netlify/functions/
/api/functions/
/_functions/
# WordPress
/wp-json/
/wp-json/wp/v2/
# Strapi
/api/
/admin/
# Firebase
/__/firebase/
/.json
4. HTML Data Attributes
<!-- Look for data attributes -->
<div data-api-endpoint="/api/products"></div>
<form data-action="/api/submit"></form>
<button data-url="/api/user/logout"></button>
Real-World API Patterns
Example 1: E-commerce Site
Discovered endpoints:
// Product APIs
GET /api/products
GET /api/products/{id}
GET /api/products/search?q=shirt
GET /api/categories
// Cart APIs
GET /api/cart
POST /api/cart/add
PUT /api/cart/update/{id}
DELETE /api/cart/remove/{id}
// Checkout
POST /api/checkout/calculate
POST /api/checkout/submit
GET /api/shipping/rates
// User APIs
POST /api/auth/login
POST /api/auth/logout
GET /api/user/profile
PUT /api/user/update
What this reveals:
- Standard REST architecture
- Session-based cart (GET /api/cart)
- Real-time shipping calculation
- Traditional auth flow
Example 2: SaaS Application
Discovered endpoints:
// GraphQL endpoint
POST /graphql
// Queries found:
query GetDashboard {
user { id name subscription }
projects { id name status }
analytics { visits revenue }
}
// REST fallbacks
GET /api/export/csv
POST /api/upload/file
GET /api/webhooks
// WebSocket
wss://app.example.com/realtime
Architecture insights:
- GraphQL for main data
- REST for file operations
- WebSocket for real-time
- Hybrid approach
Example 3: News Website
Hidden APIs found:
// Content APIs
GET /api/articles?page=1&limit=10
GET /api/articles/{slug}
GET /api/trending
GET /api/related/{id}
// Personalization
POST /api/track/view
POST /api/track/engagement
GET /api/recommendations
// Comments
GET /api/comments/{articleId}
POST /api/comments/add
POST /api/comments/vote
// Paywall
GET /api/subscription/status
POST /api/paywall/check
Business model revealed:
- Pagination strategy
- Engagement tracking
- Recommendation engine
- Paywall implementation
Authentication Patterns
1. Bearer Tokens (JWT)
// Request headers
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
// Decoded JWT reveals:
{
"user_id": 12345,
"email": "user@example.com",
"role": "premium",
"exp": 1704067200
}
2. API Keys
// Various patterns
X-API-Key: abc123def456
api_key: abc123def456
apikey: abc123def456
key: abc123def456
// In URL (less secure)
/api/data?api_key=abc123def456
3. Session Cookies
// Cookie-based auth
Cookie: session_id=xyz789;
// CSRF protection
X-CSRF-Token: token123
4. OAuth Flows
// OAuth endpoints discovered
/oauth/authorize
/oauth/token
/oauth/callback
// Token refresh pattern
POST /oauth/refresh
{
"refresh_token": "..."
}
Rate Limiting Detection
Response Headers
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1672531200
# Alternative patterns
X-Rate-Limit-Limit: 1000
X-Rate-Limit-Remaining: 999
X-Rate-Limit-Reset: 2024-01-01T00:00:00Z
# Status code
429 Too Many Requests
Retry-After: 60
Testing Rate Limits
// Careful! Don't DoS the site
async function testRateLimit(endpoint) {
let count = 0;
while (true) {
const response = await fetch(endpoint);
count++;
if (response.status === 429) {
console.log(`Rate limit hit after ${count} requests`);
console.log('Retry after:', response.headers.get('Retry-After'));
break;
}
// Be nice - add delay
await new Promise(r => setTimeout(r, 100));
if (count > 50) {
console.log('No rate limit found in 50 requests');
break;
}
}
}
API Security Issues
1. Exposed Internal APIs
// Bad: Internal API exposed
/internal/api/admin/users
/debug/api/stats
/admin/api/config
// These should be:
- Behind authentication
- On internal network only
- Not accessible from browser
2. Information Disclosure
// API returns too much data
GET /api/user/123
Response:
{
"id": 123,
"email": "user@example.com",
"password_hash": "...", // Should NEVER return
"credit_card": "...", // PII exposure
"internal_notes": "...", // Internal data
"api_keys": [...] // Security risk
}
3. Missing Authentication
// Endpoints that should require auth but don't
GET /api/users/all // User list exposed
GET /api/orders/export // Data export
POST /api/admin/action // Admin functions
4. Predictable IDs
// Sequential IDs enable enumeration
/api/invoice/1001
/api/invoice/1002
/api/invoice/1003
// Better: UUIDs
/api/invoice/550e8400-e29b-41d4-a716-446655440000
Advanced Discovery Techniques
1. Source Map Mining
// If source maps are exposed
fetch('/app.js.map')
.then(r => r.json())
.then(sourceMap => {
// Parse sources for API routes
sourceMap.sources.forEach(source => {
if (source.includes('api') || source.includes('service')) {
console.log('Potential API code:', source);
}
});
});
2. GraphQL Introspection
// Query GraphQL schema
const introspectionQuery = {
query: `
{
__schema {
types {
name
fields {
name
type { name }
}
}
}
}
`
};
fetch('/graphql', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(introspectionQuery)
}).then(r => r.json()).then(console.log);
3. Error Message Mining
// Trigger errors to reveal paths
fetch('/api/undefined')
.then(r => r.text())
.then(error => {
// Error might reveal:
// "Cannot GET /api/undefined. Valid endpoints: /api/users, /api/posts"
console.log(error);
});
4. Sitemap and Robots
// Check common files
const files = [
'/sitemap.xml',
'/robots.txt',
'/.well-known/security.txt',
'/api-docs',
'/swagger.json',
'/openapi.json'
];
files.forEach(file => {
fetch(file).then(r => {
if (r.ok) console.log(`Found: ${file}`);
});
});
API Documentation Discovery
Common Documentation URLs
/docs
/api-docs
/swagger
/swagger-ui
/redoc
/graphiql
/playground
/api/docs
/developers
/api-reference
OpenAPI/Swagger
// If Swagger is exposed
fetch('/swagger.json')
.then(r => r.json())
.then(spec => {
console.log('API Title:', spec.info.title);
console.log('Version:', spec.info.version);
console.log('Endpoints:', Object.keys(spec.paths));
});
Quick API Discovery Script
// Paste in console for quick discovery
(function discoverAPIs() {
const apis = new Set();
// Monitor fetch/XHR
const originalFetch = window.fetch;
window.fetch = function(...args) {
apis.add(args[0]);
return originalFetch.apply(this, args);
};
const originalOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function(method, url) {
apis.add(url);
return originalOpen.apply(this, arguments);
};
// Check performance entries
performance.getEntriesByType('resource').forEach(entry => {
if (entry.name.includes('/api/') ||
entry.name.includes('graphql') ||
entry.initiatorType === 'fetch') {
apis.add(entry.name);
}
});
// Display results
console.log('๐ Discovered APIs:');
Array.from(apis).sort().forEach(api => {
if (api.includes('http')) {
const url = new URL(api);
console.log(` ${url.pathname}`);
}
});
console.log('\n๐ก Tip: Interact with the site to discover more endpoints!');
})();
What to Do with Discoveries
For Development
- Document findings for team reference
- Test integrations with discovered APIs
- Learn patterns from well-designed APIs
- Identify opportunities for optimization
For Security
- Report vulnerabilities responsibly
- Check your own apps for similar issues
- Implement protections learned from others
- Audit regularly for exposed endpoints
For Analysis
- Map functionality to understand features
- Trace data flow through the application
- Identify dependencies on third parties
- Estimate complexity of the system
The Bottom Line
API discovery reveals:
- Architecture decisions
- Security posture
- Hidden features
- Integration points
Every API tells a story about how the application works. Learn to read them.
Discover APIs instantly: Fusebox automatically detects and lists all API endpoints while you browse. See requests, responses, and authentication methods. $29 one-time purchase.