Introduction

What?

Locate the APIs and validate whether they are operational, find credential information (keys, secrets, usernames, passwords), version information, API documentation, and information about the API’s purpose.

Why?

The more information gathered about a target, the better the odds of discovering and exploiting API-related vulnerabilities.

How?

• Collect data

• Understand application functionality

• Analyse traffic

• Document key parameters

• Check for exposed secrets