We have to method to discover API :

• Active Recon
• Passive Recon

1-Passive Recon

Process to collect data without direct interact with device’s target

Why need to it :

• discover API Endpoints : as that will become target to attack
• version Information : to know past vulnerablitites
• credential information : to test authentacation bypass
• API’s business purpose : to understand business logic
• API documentation : to know how use API

Process to do Passive Recon :

• use cast a wide net ( Search engine )
  • google dorking , shodan
• search in github for sentitive data such as ( API keys , credentials )

2-Active Recon :

Active recon involves direct interaction with the target enviroment to gather information

include :

• Port scanning
• sneding http requets
• analysis api response

Steps:

• Opportunistic exploitation
• Detection scanning ( nmap , burpsuite)
• Hands-on Analysis (understand how target work and roles)
• Targeted Scanning (find hidden files and directories by use Gobuster)