Skip to main content

Subdomain and API discovery

Subdomain and API discovery

Overview

This workflow automates comprehensive API endpoint discovery across an organization's attack surface by combining subdomain enumeration with aggressive web crawling and fuzzing techniques. It collects detailed endpoint metadata including response codes, content types, and body sizes to generate actionable reports for API security assessments.

How It Works

  1. Domain Input Processing: Receives target domain and URL lists to define the scope of API discovery operations.
  2. Passive Subdomain Enumeration: Executes subfinder to gather subdomains from passive intelligence sources including certificate transparency logs and DNS databases.
  3. DNS Intelligence Gathering: Launches dnsdumpster to collect additional subdomain information and DNS records from public repositories.
  4. HTTP Service Probing: Runs httpx against all discovered subdomains to identify live web services, detect HTTP/HTTPS endpoints, and gather initial service characteristics.
  5. API Endpoint Crawling: Deploys ZAP's spider/crawler against identified web services to systematically discover API endpoints through automated web application traversal.
  6. Directory and Endpoint Fuzzing: Executes feroxbuster with API-focused wordlists to brute-force additional hidden endpoints, undocumented APIs, and directory structures not found through crawling.
  7. Endpoint Metadata Collection: Processes all discovered endpoints through scripting agent to extract comprehensive metadata including HTTP response codes, content-type headers, response body sizes, authentication requirements, and rate limiting behavior.
  8. Data Normalization: Consolidates endpoint data from multiple discovery sources, eliminates duplicates, and structures findings into a unified dataset for analysis.
  9. Comprehensive Report Generation: Produces detailed reports presenting all discovered API endpoints organized by subdomain, HTTP method, response characteristics, and potential security concerns for targeted security assessments.

Who is this for?

  • API security specialists conducting comprehensive endpoint security assessments
  • Penetration testers identifying API attack surfaces and undocumented endpoints during security engagements
  • Security consultants performing API inventory and exposure analysis for clients
  • DevSecOps teams mapping organizational API landscapes and identifying shadow APIs
  • Bug bounty hunters discovering hidden API endpoints within authorized scope boundaries

What problem does this workflow solve?

  • Eliminates manual API endpoint discovery by automating subdomain enumeration, crawling, and fuzzing processes into a single cohesive workflow
  • Provides complete API attack surface visibility by combining multiple discovery techniques including passive reconnaissance, active crawling, and directory fuzzing
  • Enables rapid API security assessment through automated metadata collection, eliminating manual endpoint testing overhead
  • Identifies shadow APIs and undocumented endpoints that may bypass security controls or contain vulnerabilities
  • Delivers structured endpoint intelligence with response characteristics that facilitate efficient API penetration testing and vulnerability research