Skip to content

Importance of API Discovery in Attack Surface Management

Importance of API Discovery in Attack Surface Management
API discovery plays an important role while mapping the attack surface for a company during a  security assessment or any kind of engagement. The discovery allows an organization to map its all API’s and can check which person has what permissions on the API.

The Importance of API Discovery

API discovery is important because it helps developers to quickly find their APIs, especially those best suited for use in their apps or websites. It also helps them to mitigate risks by uncovering hidden vulnerabilities, like shadow APIs that are utilizing sensitive data like credit card info, social security numbers, and other personally identifiable information (PII). The importance of API discovery is rapidly increasing as more companies are using APIs to build their products and services.

Discovering API’s

Postman Public API Network

Just like github repositories postman has it own public API network, Every company who choose to make it’s API workflow public will be available to any user on postman which lead to company’s new api discovery, API keys, PII data being disclosed in post requests and the structure of the API.

Install postman from or you can simply use the browser based web version.

Reference tool for integration :

The home page of postman will look like the below screenshot.

To search for a company’s api search for the domain name for example

As a result we can see multiple numbers of results that contain workspace + Collections + Requests + APIs, Flows and Teams. 

Further if looking closely at a request, the API’s get/post requests containing the body, parameters, authorizations and more information can be seen. 

The body can contain sensitive information like API keys and PII data.

That’s how it is possible with the help of postman to discover and enumerate the API’s passively.
Usage Example
Postleaks -k $DOMAIN -o output.json

Discovering APIs With Google Dorking

Google dorking plays a big role in discovering new assets for an organization and it can be used to discover new APIs related to an organization. There are couple of API keywords that can be specified in the dorks for the discovery, Some of the top keywords are as follows

#Key wordGoogle Dork
1api*site:”*” “api*”
3v1site:”*” inurl:”/v1/API”
4apisite:”*” intitle:”api”
5apidocssite:”*” intext:”apidocs”

More permutation and combination can be done to get more keywords for dorking.

A example dorking on the domain site:* api

image1 3

Searching for the api keyword in the url site:* inurl:api, A good wordlist for the google dorks can be found out at

Multiple Dorks with multiple keywords can be used to discover new APIs and API endpoints.

There are some popular APIs that can be discovered by just their name for example we have to find out swagger API’s locations for a company the dork for that will be as follows

1site”*” intitle:swagger

Same like swagger multiple popular APIs can be found with google dorking.

API Subdomains Discovery With Alterx

After discovering subdomains from various sources, it is possible to use alterx to generate a list of permutation lists of subdomains that can be further filtered with the live and active subdomains.

Save the below list of keywords as api-keywords.txt

# S.NO.Keyword

Pass the list through the alterx to check how many permutations it makes 

cat fb-subs.txt| alterx -p “{{sub}}-{{word}}.{{suffix}}” -pp “word=api-keywords.txt” -es

Numbers are depending on numbers of subdomains and keywords
Further the alterx can be combined with dnsx to find the alive subdomains 
cat fb-subs.txt | alterx -p “{{sub}}-{{word}}.{{suffix}}” -pp “word=api-keywords.txt” -silent | dnsx -silent -o api-subdomains.txt

This will result in active API subdomains. 

API Discovery Via Directory Fuzzing 

APIs can be deployed not only on subdomains but also within directories on web servers. For instance, a company’s website, such as, which hosts its portfolio pages, can offer APIs through directories like /api and /v1/api. Detecting these directories containing the API can be achieved through a method known as “directory fuzzing.”

A fuzzing tool called FUFF can be used to perform the same scenario. The tool can be found at

 Here are top keywords that can be used to enumerate the API’s

# S.NO. Path
1 api
2 v1/api
3 v2/api
4 apidocs
5 api/graphql
6 apikey
7 api/proxy
8 apis
9 api/v1
10 nternal_api/1/accounts/
11 internal_api/
12 internal_api
13 api/v1/account/users
14 api/v1/account/users/password
15 api/v1/account/users/summaries
16 api/v1/asset/asset
17 api/v1/asset/assets
18 api/v1/common/accounts
19 api/v1/monitoring/accounts
20 api/3.0/artists/

Save the wordlist as a txt file and further pass it with ffuf on the target where you want to find out the API directories.

ffuf -u ‘’ -w wordlist.txt

As a positive result we got multiple directories containing the possible API paths which can further have API’s in any of those.

POC Code for API Subdomains Discovery With Alterx

import subprocess

import sys

def run_subdomain_search(subdomain_list_file, api_keywords_file):

    # Read the subdomain list from the file

    with open(subdomain_list_file, ‘r’) as subdomain_file:

        subdomains =

    # Build the command with double curly braces for placeholders

    command = f”cat {subdomain_list_file} | alterx -p ‘{{{{sub}}}}{{{{word}}}}.{{{{suffix}}}}’ -pp ‘word={api_keywords_file}’ -silent | dnsx -silent -o api-subdomains.txt”

    # Print the command before running it

    print(“Running the following command:”)


    # Execute the command and capture its output


        output = subprocess.check_output(command, shell=True, universal_newlines=True)

        print(“\nCommand output:”)


        print(“Subdomain search completed successfully.”)

    except subprocess.CalledProcessError as e:

        print(“\nAn error occurred while running the subdomain search command.”)


if __name__ == ‘__main__’:

    if len(sys.argv) != 3:

        print(“Usage: python <subdomain_list_file> <api_keywords_file>”)


        subdomain_list_file = sys.argv[1]

        api_keywords_file = sys.argv[2]

        run_subdomain_search(subdomain_list_file, api_keywords_file)

POC Code For Api Discovery Via Directory Fuzzing

Since the directory fuzzing playbook is already available on the portal, That can be used with the keywords provided in the section API discovery via directory fuzzing

Author: Prashant Saini
Assisted By: 
Sanket Kakde, Arnab Chattopadhayay

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming  and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Important Resources:

Get a free demo to find out how FireCompass can help you to prioritize risks with real-time alerts for faster detection and remediation.