Passive Reconnaissance Techniques - API Pentesting


2 min read

I've been studying API penetration testing at APISec University, as I mentioned in the previous post.

I would be summarizing the information I've learned in the course and some of my general research on this topic.

Passive reconnaissance

  1. Google Dorking: Use google's advanced search filters and operators to identify APIs

    Some useful commands:

    inurl: Discover websites with a specific word in the URL.

    intitle: Search for pages with a particular term in the title.

    intext: Look for pages with a specific term (or words) present somewhere in the text.

    filetype: finds a certain filetype that is mentioned in the search.

    Example of a google dork to find potential API keys

    The comprehensive list of Google Dork commands is found here:

  2. GitHub Dorking

    GitHub can be a useful source for learning about the target API's features, documentation, and hidden information, including API keys, passwords, and tokens.

    Sample search includes:


    extension: .json

    "Exposed API keys" in Issues

  3. Shodan

    Shodan can be used to identify external-facing APIs and obtain information about your target's open ports if you only have an IP address or the name of the organization to work with. However, the free version is limited to a few search pages.

    Shodan's search query examples:

  4. TruffleHog

    As per, This (TruffleHog) package contains a utility to search through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

    GitHub source:

    #sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org="target name"

    or install and run it locally

    #trufflehog $git_url

    Other tools worth exploring:

    As of October 2022, this website has been retired, but it may still include data from older APIs.

    The Wayback Machine

    The Internet Archive, a nonprofit organization based in San Francisco, California, established The Wayback Machine as a digital archive of the World Wide Web.

    It can be used to look for archived data of the target API for possible information disclosure.