Strategies for discovering undocumented API



  • Inspired by this question: How to approach API testing.

    The first point of a checklist in the above question is "API Endpoints".

    But, what to do when you don't have the endpoints documented because either the developers don't have the time to do it or it is a legacy project with unexisting documentation or such?

    Do you need to guess the endpoints or examine the network traffic to discover them or is there another way?



  • If you have no endpoint documentation then the things are really bad. I would use the following aproach:

    • examine known clients which use the api
    • extract all possible invokations which the client can do
    • guess what is the client missing but might be supported by server like if you have order/create then there is a chance the server has order/update as well
    • guess what could be the meaning of data that is sent to the api
    • guess data types and ranges which are implied
    • prepared the tests basing on this guess

    Or if you have server code

    • examine server code to extract api

    Or if you have server binary

    • decompile binary
    • extract api from decompiled code


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2