This chapter covers API endpoint enumeration, a critical skill for penetration testers when assessing web applications and microservices. On the PT0-002 exam, questions related to API testing appear in roughly 10-15% of the Reconnaissance and Enumeration domain (Objective 2.2). You will learn how to discover hidden or undocumented API endpoints, identify authentication weaknesses, and extract sensitive information from API responses. Mastery of these techniques is essential for passing the exam and performing real-world assessments.
Jump to a section
Imagine a hotel with multiple floors, each floor having different access levels. The front desk (API gateway) issues keycards (API keys) to guests. A guest wants to explore the hotel's amenities (endpoints). They start by scanning the keycard at the main entrance (base URL) and then try every door on the first floor (common endpoints like /users, /admin). Some doors open, revealing rooms (responses with data). If a door is locked, the card is rejected (401/403). The guest also checks for unsecured doors (no authentication required) and tries to use another guest's keycard (token reuse). They map out the entire floor plan by reading the directory signs (API documentation if available) and noting which doors lead to staircases (endpoints that chain to other resources). This systematic probing reveals the hotel's layout without needing a master key.
What is API Endpoint Enumeration?
API endpoint enumeration is the process of systematically discovering and cataloging the available endpoints (URLs) of an API. This includes both documented and undocumented endpoints, as well as understanding the methods (GET, POST, PUT, DELETE) and parameters each endpoint accepts. For a penetration tester, this is a foundational step to identify attack surface, misconfigurations, and vulnerabilities such as broken access control, excessive data exposure, or injection flaws.
Why API Endpoint Enumeration Exists
Modern applications rely heavily on APIs, often exposing dozens or hundreds of endpoints. Developers may leave debug endpoints, deprecated versions, or hidden administrative functions accessible. Attackers can exploit these to gain unauthorized access or leak sensitive data. Enumeration helps testers map the entire API surface, including endpoints not intended for public consumption.
How It Works Internally
The process typically involves several techniques:
Manual Exploration: Interacting with the application's frontend to observe API calls via browser developer tools (Network tab). This reveals endpoints used by the client.
Documentation Review: Checking for Swagger/OpenAPI docs at common paths like /swagger.json, /api/docs, or /v1/api-docs.
Brute-Forcing: Using wordlists of common endpoint names (e.g., /admin, /users, /config) against the base URL.
Parameter Fuzzing: Adding common parameters (e.g., ?id=1, ?page=1) to endpoints to discover hidden functionality.
HTTP Method Testing: Trying different methods on discovered endpoints to see if they allow unintended actions (e.g., DELETE on a GET-only endpoint).
Error Message Analysis: Triggering errors (e.g., invalid input, missing parameters) to leak endpoint paths or stack traces.
Key Components, Values, and Defaults
Base URL: Typically https://api.example.com/v1/ or similar.
Common Endpoint Patterns: /api/v1/users, /api/v1/admin, /api/v1/config, /api/v1/health, /api/v1/docs.
HTTP Methods: GET (read), POST (create), PUT (update), DELETE (delete), PATCH (partial update), OPTIONS (discover allowed methods).
Status Codes: 200 OK (success), 201 Created (resource created), 400 Bad Request (invalid input), 401 Unauthorized (missing/invalid auth), 403 Forbidden (authenticated but not allowed), 404 Not Found (endpoint doesn't exist), 500 Internal Server Error (server error).
Authentication: API keys (in headers, query params, or cookies), Bearer tokens (JWT), Basic Auth, OAuth2.
Rate Limiting: Many APIs limit requests per IP or per token (e.g., 100 requests per minute). Exceeding may return 429 Too Many Requests.
Common Tools: curl, Postman, Burp Suite, OWASP ZAP, custom scripts.
Configuration and Verification Commands
Using curl to enumerate endpoints:
curl -X GET https://api.example.com/v1/users -H "Authorization: Bearer token123"To test different methods:
curl -X OPTIONS https://api.example.com/v1/users -vTo brute-force endpoints with a wordlist:
for endpoint in $(cat endpoints.txt); do
code=$(curl -s -o /dev/null -w "%{http_code}" https://api.example.com/v1/$endpoint)
echo "$endpoint -> $code"
doneTo fuzz parameters:
curl -X GET "https://api.example.com/v1/users?id=1"
curl -X GET "https://api.example.com/v1/users?page=1&limit=10"Interaction with Related Technologies
API endpoint enumeration often overlaps with:
Web Application Scanning: Tools like Burp Spider can crawl web apps and discover API endpoints.
Directory Enumeration: Similar to finding hidden web directories, but focused on API paths.
Token Analysis: JWT tokens may reveal endpoint paths in their payload (e.g., "/admin" claim).
GraphQL Introspection: GraphQL APIs expose a schema that can be queried for all types and fields, effectively listing all possible queries and mutations.
Deep Dive into Techniques
1. Documentation Discovery
Many APIs provide OpenAPI/Swagger documentation. Common paths include: - /swagger.json - /swagger/v1/swagger.json - /api/docs - /v1/api-docs - /openapi.json
If found, the documentation lists all endpoints, parameters, and authentication requirements. This is the most efficient enumeration method.
2. Web Crawling and Spidering
Use tools like Burp Suite's Spider or ZAP's AJAX Spider to crawl the application. JavaScript files often contain API endpoint URLs. For example, in a React app, API calls may be in minified JS files. Look for strings like "api/", "/v1/", or "endpoint".
3. Brute-Forcing with Wordlists
Use wordlists tailored for APIs, such as SecLists's /Discovery/Web-Content/api-endpoints.txt. Example command:
ffuf -u https://api.example.com/v1/FUZZ -w api-endpoints.txt -mc 200,201,403Filter for status codes that indicate existence (200, 201, 403) versus non-existence (404).
4. HTTP Method Testing
For each discovered endpoint, test all methods:
curl -X GET https://api.example.com/v1/users
curl -X POST https://api.example.com/v1/users
curl -X PUT https://api.example.com/v1/users/1
curl -X DELETE https://api.example.com/v1/users/1
curl -X PATCH https://api.example.com/v1/users/1Observe responses: A 405 Method Not Allowed indicates the method is recognized but not allowed; a 200 or 201 indicates it's functional.
5. Parameter Fuzzing
Add common parameters to endpoints to discover hidden functionality. For example:
curl -X GET "https://api.example.com/v1/users?admin=true"
curl -X GET "https://api.example.com/v1/users?debug=1"
curl -X GET "https://api.example.com/v1/users?format=json"6. Error-Based Enumeration
Send requests with invalid input to trigger error messages that reveal endpoint paths. For example:
curl -X POST https://api.example.com/v1/users -d "invalid"If the server returns a stack trace, it may show internal paths like "/var/www/api/v1/controllers/userController.php".
7. GraphQL Introspection
If the API uses GraphQL, query the introspection system:
query {
__schema {
types {
name
fields {
name
type {
name
}
}
}
}
}This returns all types and fields, effectively listing all possible queries and mutations.
Common Pitfalls and Exam Traps
Assuming all endpoints are documented: Often, undocumented endpoints exist (e.g., /debug, /test).
Ignoring HTTP methods: An endpoint may respond to GET with 200 but also allow PUT with privilege escalation.
Overlooking rate limiting: Too many requests may get you blocked; use delays or rotate IPs.
Misinterpreting status codes: A 403 Forbidden means the endpoint exists but access is denied; a 404 means it doesn't exist. However, some APIs return 404 for everything to hide existence.
Summary
API endpoint enumeration is a systematic process combining documentation review, crawling, brute-forcing, and parameter fuzzing. It reveals the full attack surface of an API, enabling testers to find vulnerabilities like broken access control, information disclosure, and injection flaws. On the PT0-002 exam, expect scenario-based questions where you must choose the correct enumeration technique or interpret API responses.
Identify Base URL and Authentication
Begin by determining the API's base URL, typically found in the application's source code, network traffic, or documentation. Common patterns include https://api.example.com/v1 or https://example.com/api. Also note the authentication mechanism: API key in header, Bearer token, or no auth. This step is crucial because subsequent enumeration requests must include valid authentication to avoid being blocked or receiving misleading responses. Use browser developer tools to capture API calls made by the frontend. For example, logging into a web app might reveal a POST to /api/login. Record the base URL and auth header format.
Check for API Documentation
Attempt to retrieve the API documentation from standard paths: /swagger.json, /api/docs, /v1/api-docs, /openapi.json. If successful, the documentation will list all endpoints, methods, parameters, and authentication requirements. This is the most efficient way to map the API. Use curl or a browser to request these paths. For example: curl https://api.example.com/swagger.json. If the response contains JSON with paths and definitions, you have the full API map. If not, move to the next step.
Crawl the Web Application
Use a web crawler (e.g., Burp Suite Spider, OWASP ZAP) to automatically discover links and forms in the web application. The crawler will follow all links and may find API endpoints embedded in JavaScript files, HTML comments, or AJAX calls. Pay special attention to JavaScript files: they often contain hardcoded API URLs. For example, a React app's bundle.js might have strings like /api/v1/users. Use the 'Search' function in Burp to search for 'api', '/v1', or 'endpoint'. This step reveals endpoints that are not directly linked but are used by the client-side code.
Brute-Force Common Endpoints
Use a wordlist of common API endpoint names (e.g., admin, users, config, health, debug, test) and brute-force them against the base URL. Tools like ffuf, dirb, or gobuster can be used. Filter results by HTTP status codes: 200, 201, 403 indicate existence; 404 indicates non-existence. For example: ffuf -u https://api.example.com/v1/FUZZ -w /usr/share/wordlists/api-endpoints.txt -mc 200,201,403. Be mindful of rate limiting; add delays or use random user agents. This step uncovers hidden endpoints that are not referenced in the frontend.
Test HTTP Methods on Discovered Endpoints
For each discovered endpoint, test all HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS) to see which are allowed. Use curl with the -X option. For example: curl -X OPTIONS https://api.example.com/v1/users -v. The OPTIONS response may include an Allow header listing permitted methods. Alternatively, send a DELETE request and observe if it returns 405 (method not allowed) or 200 (deleted). This step identifies endpoints that may allow unintended actions, such as deleting resources via DELETE when only GET was expected.
Fuzz Parameters and Analyze Errors
Add common parameters to endpoints to discover hidden functionality or trigger errors that leak information. For example, add ?admin=true, ?debug=1, ?format=json, or ?id=1. Also send invalid data (e.g., non-numeric ID, missing required fields) to generate error messages. Error messages may reveal internal paths, database queries, or stack traces. For example: curl -X POST https://api.example.com/v1/users -d '{"name":""}'. If the response includes 'SQL error' or '/var/www/...', you've gained valuable information. This step often uncovers injection points or debug endpoints.
Enterprise Scenario 1: E-Commerce Platform
A large e-commerce company uses a RESTful API for its mobile app and web store. The API has endpoints for products, users, orders, and payments. During a penetration test, the tester discovers that the API documentation is exposed at /swagger.json without authentication. This reveals endpoints like /api/v1/admin/users and /api/v1/admin/orders. By brute-forcing, the tester finds that /api/v1/admin/users returns a list of all users (including PII) when accessed with a regular user token, indicating a broken access control vulnerability. The misconfiguration allowed any authenticated user to access admin endpoints. The fix required implementing role-based access control (RBAC) on the server side.
Enterprise Scenario 2: Financial Services API
A bank provides an API for third-party developers to integrate payment services. The API uses OAuth2 with scopes. The tester enumerates endpoints by reviewing the developer portal's JavaScript and discovers a hidden endpoint /api/v1/internal/transactions that is not documented. This endpoint returns transaction data without requiring the proper scope. The bank had intended this endpoint for internal use only but forgot to restrict access. The vulnerability could have allowed attackers to view other customers' transactions. The remediation involved removing the endpoint or adding proper scope validation.
Enterprise Scenario 3: Cloud-Based SaaS Application
A SaaS company offers a GraphQL API. The tester uses introspection to query the schema and discovers a mutation called 'deleteUser' that is not exposed in the frontend. By sending a mutation with a user ID, the tester can delete any user account. The introspection endpoint was not disabled in production. The company disabled introspection in production and implemented query depth limiting. This scenario highlights the importance of disabling introspection in production environments and using allowlists for mutations.
PT0-002 Exam Focus on API Endpoint Enumeration
The PT0-002 exam tests API endpoint enumeration under Objective 2.2: "Given a scenario, analyze the output from a reconnaissance tool." Expect questions that present a scenario (e.g., a web application with an API) and ask you to identify the next step or interpret tool output. Key areas include:
- Objective 2.2: Understand how to discover hidden endpoints, interpret status codes, and use tools like curl, Burp Suite, and ffuf. - Common Wrong Answers: 1. "Run a vulnerability scanner immediately": Candidates often choose this, but enumeration comes first to understand the attack surface. 2. "Check for SQL injection": While important, enumeration of endpoints should precede exploitation. 3. "Use a directory brute-forcer with a generic wordlist": This is correct but incomplete; the exam wants specific API-focused wordlists and techniques. 4. "Ignore 403 responses": Candidates may think 403 means endpoint doesn't exist, but it actually indicates existence with denied access.
Specific Numbers and Values:
Common API documentation paths: /swagger.json, /api/docs, /v1/api-docs.
Status codes: 200 (exists), 403 (exists but forbidden), 404 (doesn't exist), 405 (method not allowed).
Tools: ffuf, Burp Suite, curl.
Wordlists: SecLists API endpoints, common parameters (id, page, limit, admin, debug).
Edge Cases:
APIs that return 404 for all endpoints to hide existence (use timing analysis or error messages).
GraphQL introspection must be explicitly disabled; if not, it reveals the entire schema.
Some APIs use non-standard status codes (e.g., 422 for validation errors) that can leak information.
Eliminating Wrong Answers:
If a question asks for the first step in assessing an API, the answer should involve discovery (documentation, crawling, or brute-forcing), not exploitation.
If a tool output shows many 403 responses, the correct interpretation is that those endpoints exist but require higher privileges.
If a response contains a stack trace, the correct action is to analyze it for internal paths, not to ignore it.
By focusing on these exam-specific aspects, you can confidently answer questions about API endpoint enumeration.
API endpoint enumeration is the process of discovering all available endpoints, methods, and parameters of an API.
Start by checking for API documentation at common paths like /swagger.json or /api/docs.
Use web crawling to find API endpoints embedded in JavaScript files and AJAX calls.
Brute-force endpoints using wordlists tailored for APIs (e.g., SecLists api-endpoints.txt).
Test all HTTP methods on discovered endpoints to find unintended functionality (e.g., DELETE on a read-only endpoint).
Fuzz parameters and send invalid input to trigger error messages that may leak internal paths or debug information.
For GraphQL APIs, query the introspection system to get the full schema if not disabled.
A 403 Forbidden response indicates the endpoint exists but access is denied; a 404 means it doesn't exist.
Rate limiting can be bypassed with IP rotation and delays.
Always analyze error messages and stack traces for sensitive information disclosure.
These come up on the exam all the time. Here's how to tell them apart.
REST API Enumeration
Endpoints are fixed URLs (e.g., /users, /users/1)
Discovery relies on brute-forcing paths and reading documentation
Each endpoint returns a fixed structure (e.g., JSON with specific fields)
Over-fetching or under-fetching data is common (fixed responses)
Common tools: curl, ffuf, Burp Suite
GraphQL API Enumeration
Single endpoint (e.g., /graphql) with flexible queries
Discovery relies on introspection queries to get the schema
Responses are tailored to the query; you can request exactly the fields you want
Introspection reveals all types, fields, and mutations
Common tools: GraphQL Playground, InQL, custom scripts
Mistake
All API endpoints are documented and accessible via the frontend.
Correct
Many APIs have undocumented endpoints for debugging, testing, or internal use. Developers often forget to remove or secure these endpoints, making them valuable targets. Enumeration techniques like brute-forcing and crawling are necessary to find them.
Mistake
A 403 Forbidden response means the endpoint does not exist.
Correct
A 403 Forbidden indicates the endpoint exists but the request lacks proper authorization. This is different from 404 Not Found, which means the endpoint does not exist. Attackers should note 403 responses as potential targets for privilege escalation.
Mistake
GraphQL APIs are secure by default because they require queries.
Correct
GraphQL introspection is often enabled by default, allowing anyone to query the schema and discover all types, fields, and mutations. This is a major information disclosure risk. The exam expects you to know that introspection should be disabled in production.
Mistake
API keys alone provide sufficient security for endpoints.
Correct
API keys are often static and can be leaked in client-side code, logs, or network traffic. They do not provide fine-grained access control. Combined with endpoint enumeration, an attacker can use a leaked key to access all endpoints the key permits, potentially including admin functions.
Mistake
Rate limiting prevents enumeration attacks.
Correct
Rate limiting can slow down enumeration but does not prevent it. Attackers can rotate IP addresses, use distributed wordlists, or add delays to avoid triggering limits. Moreover, many APIs do not implement rate limiting on all endpoints.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is to identify the base URL and authentication mechanism. This is typically done by intercepting traffic from the web application (using browser dev tools or a proxy like Burp Suite). Then, check for API documentation at common paths (e.g., /swagger.json) because if documentation exists, it provides a complete map of endpoints. On the exam, this is often the correct answer when asked about initial reconnaissance.
Undocumented endpoints can be discovered through brute-forcing with wordlists of common endpoint names (e.g., admin, debug, test, config). Tools like ffuf or gobuster are effective. Also, crawl the web application and inspect JavaScript files for hardcoded API URLs. Additionally, analyze error messages by sending invalid requests; errors may reveal hidden paths. On the exam, expect questions that ask which technique to use for finding hidden endpoints.
A 403 Forbidden status code indicates that the endpoint exists but the request does not have sufficient permissions to access it. This is different from 404 (Not Found), which means the endpoint does not exist. Attackers should note 403 responses as they represent potential targets for privilege escalation or access control bypass. On the exam, a common trick is to present a 403 response and ask if the endpoint exists; the correct answer is yes.
GraphQL APIs typically have a single endpoint (e.g., /graphql). The primary enumeration technique is to send an introspection query to retrieve the schema, which lists all types, fields, queries, and mutations. Example query: query { __schema { types { name fields { name } } } }. If introspection is disabled, you can use field suggestion (by typing partial field names) or brute-force common queries. On the exam, remember that introspection is often enabled by default and should be disabled in production.
Common tools include curl (for manual requests), Burp Suite (for intercepting and crawling), OWASP ZAP (for automated scanning), ffuf (for brute-forcing), gobuster, and Postman (for manual testing). For GraphQL, tools like GraphQL Playground, InQL (Burp extension), and custom Python scripts are used. On the PT0-002 exam, you may be asked to interpret output from these tools, so familiarize yourself with their typical output formats.
Rate limiting can be bypassed by rotating IP addresses (using proxies or VPNs), adding delays between requests (e.g., sleep 1 second), using distributed wordlists, or making requests from multiple sessions. Some APIs limit by API key, so using multiple keys can help. On the exam, if a scenario mentions rate limiting, the correct answer often involves using delays or rotating IPs.
REST APIs have multiple fixed endpoints (e.g., /users, /users/1), each returning a predefined structure. Enumeration involves discovering these endpoints via brute-forcing or crawling. GraphQL APIs have a single endpoint, and enumeration focuses on retrieving the schema via introspection, which reveals all possible queries and mutations. GraphQL also allows requesting only needed fields (no over-fetching). On the exam, you may need to choose the appropriate technique based on the API type.
You've just covered API Endpoint Enumeration — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?