API Endpoint Enumeration

Manual Crawling

• Use browser developer tools (F12) to inspect network traffic while interacting with the web app.

• Look for XHR requests in the "Network" tab to identify API calls.

Extract endpoints from JavaScript files:

curl https://target.com/script.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*"

Use tools like LinkFinder to find hidden endpoints

python3 linkfinder.py -i https://target.com/script.js -o cli

Searches recursively through downloaded JavaScript files

grep -rE "api/v[0-9]|endpoint|fetch(" /path/to/js/files

Check JavaScript Chunks

• Client-side only You'll only see endpoints the frontend knows about

• Not comprehensive Server-only routes won't appear

• Dynamic imports: Some endpoints loaded conditionally

• Minified code Often obfuscated, but patterns still visible

You can typically found then on the Sources tab from WebDev Browser

Next.js

_next/static/chunks/

React

static/js/

Vue.js

js/chunk-vendors

Angular

main.js, polyfills.js

Search for this terms

Domain names - External APIs, microservices, staging environments, CDN endpoints

Direct API endpoint paths, REST routes, internal APIs

api

Configuration objects, endpoint mappings, API documentation strings

endpoint

GraphQL endpoints, query definitions, schema references

graphql

Native browser API calls, modern async requests

fetch(

Popular HTTP client library, often reveals base URLs and interceptors

axios

API keys, JWT tokens, authentication headers

tokens

Authorization headers, OAuth implementations

Bearer

Callback URLs, third-party integrations

webhook

WebSocket connections, real-time APIs

socket

Cross-origin settings, allowed domains

cors

Proxy configurations, internal routing

proxy