🔍 Guide to Perform Passive API Recon: Identifying API Vulnerabilities Without Direct Interaction 🛡️

Listen to this Post

Passive API reconnaissance is a critical step in identifying potential vulnerabilities in APIs without directly interacting with them. This guide will walk you through the process using tools and techniques that ensure you remain undetected while gathering valuable information.

Tools and Commands

  1. Shodan: Use Shodan to search for exposed APIs.
    shodan search "API key" --fields ip_str,port,org,hostnames
    

2. Censys: Identify APIs using Censys.

censys search "services.http.response.headers.location: /api/v1" --index-type hosts
  1. GitHub Dorking: Find API keys and endpoints in public repositories.
    site:github.com "api_key"
    

  2. Wayback Machine: Use Wayback Machine to find historical API endpoints.

    curl "http://web.archive.org/cdx/search/cdx?url=example.com/api/*&output=json"
    

5. Postman: Analyze API documentation for hidden endpoints.

postman-collection-transformer convert -i collection.json -o output.json -j 1.0.0 -p 2.1.0

Practice-Verified Code Snippets