Discovering APIs (Deep-Dive Notes)

📌 Overview

Discovering APIs is the real start of API hacking. Before testing auth, logic, or injections, you need to uncover:

• Hidden endpoints
• Undocumented routes
• Developer-only features
• Secret subdomains
• Third-party integrations
• Deprecated versions (v1, v2, internal APIs)

This chapter builds your attack surface map, acting as the foundation for all future testing.

These notes cover:

• The “Attacking APIs” intro (book p.147–149)
• Full “Discovering APIs” chapter (book p.149–180)
• Modern community workflows (2024–2025)
• Real-world tools, commands, and labs
• Resource images you can embed in Notion

🏛️ 1. Why API Discovery Matters

APIs are where the modern internet really lives.

Most companies shift logic to backend APIs while giving the frontend minimal roles.