Hidden APIs - How Websites Accidentally Give You Everything ๐ŸŽ

:globe_with_meridians: Finding Hidden APIs Step by Step for Beginners :ladder:

(AKA: How to Find Hidden APIs and Unlock Whatโ€™s Not on the Menu :pizza:)

:world_map: One-Line Flow: Press F12 โ†’ Watch websites talk to their kitchen โ†’ Find the secret menu items โ†’ Go deeper with forgotten files, time travel tricks, and phone app snooping.


What Even Is an API?

Think of it like this:
When you use Instagram, you see pretty pictures and buttons. But behind that, Instagram is just sending data back and forth โ€” like a waiter taking orders to the kitchen.

The API is the waiter.

And sometimesโ€ฆ the waiter will give you stuff thatโ€™s not on the menu. :smirking_face:

๐Ÿ• Wait, Explain It Like I'm 5 (The Pizza Shop Thing)

Imagine a pizza shop:

  • The menu = what they WANT you to see
  • The kitchen = where the real stuff happens
  • The API = the back door where employees go in and out

Most people order from the menu. But if you know about the back door, you can sometimesโ€ฆ see what else is cooking.

Thatโ€™s what โ€œfinding hidden APIsโ€ means. Youโ€™re not breaking in. Youโ€™re just using the employee entrance.


๐Ÿ”ฐ Level 1: The 'I Have Zero Skills But I Want In' Starter Method โ€” Literally Just Press F12

Step 1: Open any website
Step 2: Right-click โ†’ โ€œInspectโ€ (or press F12)
Step 3: Click the โ€œNetworkโ€ tab at the top
Step 4: Click around the website
Step 5: Watch the magic :sparkles:

Youโ€™ll see a bunch of stuff appearing. Look for things that say โ€œXHRโ€ or โ€œFetchโ€ โ€” those are the website talking to its kitchen.

๐ŸŽฌ Okay But What Am I Actually Looking At? (Don't Panic, It's Easy)

When you filter by XHR/Fetch, youโ€™ll see requests like:

api/users/profile
api/posts/feed
graphql

Click on any of these. Look at the โ€œResponseโ€ tab.

Thatโ€™s the raw data. No pretty interface. Justโ€ฆ everything.

Sometimes youโ€™ll find data they didnโ€™t mean to show you. Old features. Hidden info. The good stuff.

This GitHub repo is literally a free course on finding hidden APIs. Not tools. Not a list. An actual methodology for discovering what websites are hiding.


๐Ÿ”ฎ Level 2: GraphQL โ€” That Weird Thing That Gives You EVERYTHING If You Ask Nicely

Your Network tab shows XHR/Fetch. But in 2025, the real treasure is GraphQL.

Look for requests going to /graphql endpoints. If you find one, try this in your browser console or Postman:

{__schema{queryType{fields{name}}}}

If it works? You just downloaded the entire API blueprint โ€” every query, every mutation, every field. Itโ€™s like the restaurant handing you the recipe book.

๐Ÿ•ต๏ธ They Blocked It? Lol No They Didn't โ€” Here's How They Messed Up

Companies think theyโ€™re smart by blocking introspection. But they mess it up constantly.

Try these bypasses:

  • Add a newline: {__schema\n{queryType{name}}}
  • Use GET instead of POST
  • URL-encode the query
  • Add spaces: { __schema { queryType { name } } }

When itโ€™s actually locked down:
Use Clairvoyance โ€” it rebuilds schemas by exploiting error messages. When you type a wrong field, Apollo says stuff like Did you mean 'userPassword'?

Yeah. It literally tells you what fields exist. Thanks, Apollo.


๐Ÿ—บ๏ธ Level 3: Source Maps โ€” Devs Accidentally Left The Answer Key In The Exam Room

This is criminally underrated.

When devs build websites, they compress JavaScript into unreadable garbage. But sometimes they leave behind .map files โ€” which reverse the compression.

Check if they exist:

main.js โ†’ main.js.map
bundle.js โ†’ bundle.js.map

Just add .map to any JS file URL and see what happens.

๐Ÿ’€ Holy Crap What Can I Actually Find In These Things?

If exposed, you get:

  • Original, un-minified source code โ€” readable variable names, comments, everything
  • Hardcoded API keys and tokens (yes, including Stripe secrets)
  • Hidden admin endpoints the UI doesnโ€™t show
  • Internal routes devs thought were private

Google dork to find exposed maps:

ext:map intext:webpack intext:react -site:github.com

Tools:

  • sourcemapper โ€” extracts full source trees
  • source-map-explorer (npm) โ€” visualizes whatโ€™s inside

Real case: Security researchers found hardcoded Stripe API secret keys through source maps. Enabled unauthorized payments. Oops.


โฐ Level 4: Time Travel Recon โ€” Old APIs Never Really Die, They Just Hide

APIs that existed years ago might still work. Companies update their docs but forget to actually kill the old endpoints.

The Wayback Machine remembers everything.

๐Ÿ› ๏ธ Tools That Do The Time Traveling For You (Just Copy-Paste)

gau โ€” pulls URLs from Wayback Machine, Common Crawl, AlienVault

echo "target.com" | gau | grep -E "api|v1|v2|graphql" | sort -u

waybackurls โ€” raw Wayback scraping

echo "target.com" | waybackurls

waymore โ€” Wayback + CommonCrawl + URLScan + VirusTotal combined

What youโ€™re looking for:
Found /api/v1/admin/debug that was removed from docs in 2021 but still responds with 200 in 2025? Thatโ€™s your entry point.


๐Ÿ“„ Level 5: Swagger Files โ€” When Companies Upload Their Own Cheat Codes By Accident

Companies accidentally ship their full API documentation publicly. Itโ€™s literally a map of every endpoint.

Common locations to check:

/swagger.json
/openapi.json
/swagger/v1/swagger.json
/api-docs
/api/v1/docs
/swagger-ui.html
/.well-known/openapi.json

Justโ€ฆ try them. Youโ€™d be surprised.

๐Ÿ”จ Tools That Hunt Swagger Files While You Grab Coffee

Autoswagger โ€” auto-discovers and tests OpenAPI endpoints

APIFuzzer โ€” once you have the spec, fuzz every endpoint

Kiterunner โ€” bruteforces API routes using smart wordlists

kr scan https://target.com/api -w routes-large.kite

๐Ÿ“œ Level 6: JavaScript Mining โ€” The Code Already Contains Every Secret, You Just Gotta Ctrl+F

The Network tab shows active calls. But the JavaScript files contain all possible endpoints โ€” including ones the UI never uses.

๐Ÿ” What To Search For + Tools That Do It Automatically

What to search for in JS files:

/api/
/v1/
/internal/
/admin/
/debug/
"Authorization"
"Bearer"
"apiKey"

Tools that do this automatically:

  • LinkFinder โ€” extracts endpoints from JS
  • JSFScan โ€” full JS recon suite
  • Katana with -jc flag (JavaScript crawl)
katana -u "https://target.com" -jc -o js_endpoints.txt

๐Ÿ“ฑ Level 7: Mobile Apps โ€” Web Got Smarter, But Phone Apps Are Still Snitching Hard

Web apps have gotten better at hiding stuff. Mobile apps? Still a disaster.

๐Ÿ“ฒ The Step-By-Step 'Intercept Everything Your Phone Says' Method

The basic flow:

  1. Get the APK (Android) or IPA (iOS)
  2. Set up mitmproxy to intercept traffic
  3. Use Frida to bypass certificate pinning
  4. Watch every API call the app makes

Certificate pinning bypass scripts:
httptoolkit/frida-interception-and-unpinning

Static analysis (no interception needed):
Decompile the APK with jadx or apktool, then grep:

grep -ri "api" ./
grep -ri "endpoint" ./
grep -ri "secret" ./

Flutter apps are especially leaky โ€” most devs forget to disable debug mode.


๐Ÿ”Œ Level 8: WebSockets โ€” Everyone Forgets These Exist And That's Why They're Gold

Everyone filters by XHR/Fetch. Real-time apps use WebSockets (ws:// or wss://).

In DevTools โ†’ Network โ†’ Filter by โ€œWSโ€

WebSocket APIs often:

  • Skip authentication entirely
  • Use sequential/guessable IDs
  • Leak real-time data (chat messages, trades, internal comms)

โš ๏ธ Why Every Tutorial From 2023 Is Now Wrong โ€” What Changed
What Changed What It Means For You
GraphQL introspection now disabled by default Use Clairvoyance + field suggestions instead
Bot protection (Cloudflare, Akamai) fingerprints API clients Simple curl gets blocked โ€” need proper headers
~33% of APIs are โ€œshadow APIsโ€ Best targets โ€” they exist but arenโ€™t monitored
Certificate pinning is standard on mobile Need Frida/Objection to bypass
AI bot detection is everywhere Behavioral patterns matter, not just headers

๐Ÿงช The Full Workflow โ€” Just Copy This Entire Thing And Run It
# 1. Passive URL discovery
echo "target.com" | gau | tee urls.txt
echo "target.com" | waybackurls >> urls.txt
cat urls.txt | grep -E "api|v1|v2|graphql|swagger" | sort -u > api_endpoints.txt

# 2. Find JS files
katana -u "https://target.com" -jc -o katana_out.txt
cat katana_out.txt | grep "\.js$" | sort -u > js_files.txt

# 3. Check for source maps
cat js_files.txt | while read url; do curl -s "$url.map" | head -c 100; done

# 4. Test GraphQL introspection
curl -X POST "https://target.com/graphql" \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{queryType{fields{name}}}}"}'

# 5. Hunt for Swagger files
ffuf -w /path/to/swagger-wordlist.txt -u "https://target.com/FUZZ" -mc 200

๐Ÿ“š The Only Resources You Actually Need (Bookmark These)

Normal people see the website.

1Hackers see everything the website is hiding. :magnifying_glass_tilted_left:

18 Likes