API Discovery
Automatically find and test undocumented API endpoints.
How It Works
API Discovery finds endpoints that may not be in your documentation:
Path Inference
Predicts likely endpoints based on patterns in discovered paths
Wordlist Enumeration
Tests common API paths and naming conventions
JavaScript Analysis
Extracts API endpoints from client-side code
Response Analysis
Finds linked resources and pagination patterns
Enabling API Discovery
{
"discovery": {
"api_discovery": true,
"wordlist": "default",
"path_inference": true,
"js_analysis": true,
"max_depth": 5
}
}OpenAPI/Swagger Import
Import your API specification for targeted testing:
- Go to Project Settings → API Specs
- Upload your OpenAPI/Swagger file or provide URL
- Hacker Bot will test all documented endpoints
- Plus discover undocumented ones
{
"api_spec": {
"url": "https://api.example.com/openapi.json",
"auth_header": "Authorization: Bearer ${TOKEN}"
}
}Discovery Results
Discovered endpoints are categorized:
- Confirmed: Endpoints that returned valid responses
- Authentication Required: Returned 401/403
- Not Found: Returned 404 (may still be interesting)
- Error: Returned 500 (potential vulnerability indicator)
Custom Wordlists
Add industry-specific or custom paths:
{
"discovery": {
"api_discovery": true,
"wordlist": "custom",
"custom_paths": [
"/api/v2/internal",
"/api/admin",
"/graphql",
"/api/debug",
"/actuator"
]
}
}GraphQL Discovery
Special handling for GraphQL APIs:
- Automatic introspection query analysis
- Schema extraction and documentation
- Query and mutation enumeration
- Type analysis for injection points