Strategies for discovering undocumented API
Inspired by this question: How to approach API testing.
The first point of a checklist in the above question is "API Endpoints".
But, what to do when you don't have the endpoints documented because either the developers don't have the time to do it or it is a legacy project with unexisting documentation or such?
Do you need to guess the endpoints or examine the network traffic to discover them or is there another way?
inna last edited by
If you have no endpoint documentation then the things are really bad. I would use the following aproach:
- examine known clients which use the api
- extract all possible invokations which the client can do
- guess what is the client missing but might be supported by server like if you have
order/createthen there is a chance the server has
- guess what could be the meaning of data that is sent to the api
- guess data types and ranges which are implied
- prepared the tests basing on this guess
Or if you have server code
- examine server code to extract api
Or if you have server binary
- decompile binary
- extract api from decompiled code