API Endpoint Enumeration

Manual Crawling

  • Use browser developer tools (F12) to inspect network traffic while interacting with the web app.

  • Look for XHR requests in the "Network" tab to identify API calls.

Extract endpoints from JavaScript files:
curl https://target.com/script.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*"
Use tools like LinkFinder to find hidden endpoints
python3 linkfinder.py -i https://target.com/script.js -o cli
Searches recursively through downloaded JavaScript files
grep -rE "api/v[0-9]|endpoint|fetch(" /path/to/js/files
Check JavaScript Chunks
  • Client-side only You'll only see endpoints the frontend knows about

  • Not comprehensive Server-only routes won't appear

  • Dynamic imports: Some endpoints loaded conditionally

  • Minified code Often obfuscated, but patterns still visible

You can typically found then on the Sources tab from WebDev Browser

Next.js
_next/static/chunks/
React
static/js/
Vue.js
js/chunk-vendors
Angular
main.js, polyfills.js

Search for this terms

Domain names - External APIs, microservices, staging environments, CDN endpoints

Direct API endpoint paths, REST routes, internal APIs
api
Configuration objects, endpoint mappings, API documentation strings
endpoint
GraphQL endpoints, query definitions, schema references
graphql
Native browser API calls, modern async requests
fetch(
Popular HTTP client library, often reveals base URLs and interceptors
axios
API keys, JWT tokens, authentication headers
tokens
Authorization headers, OAuth implementations
Bearer
Callback URLs, third-party integrations
webhook
WebSocket connections, real-time APIs
socket
Cross-origin settings, allowed domains
cors
Proxy configurations, internal routing
proxy

Last updated