Bash › API Recon Workflows
API recon from the command line
APIs are where modern attack surface lives, and you can map them from the shell. This lesson covers discovering endpoints, probing parameters, and finding the documentation APIs often expose by accident — using curl, jq, and the pipeline skills you’ve built.
You'll learn to
- Probe for common API endpoints and docs
- Parse JSON responses with jq
- Recognise GraphQL and its introspection
Finding the documentation APIs leak
# Common API doc and schema locations — probe them:
for path in /swagger.json /openapi.json /api-docs /graphql \
/api/swagger.json /v1/swagger.json /.well-known/openapi; do
code=$(curl -s -o /dev/null -w "%{http_code}" "https://target.com$path")
echo "$code $path"
done
APIs frequently expose their own documentation — Swagger/OpenAPI specs that list every endpoint, parameter, and type. Probing a handful of common paths and watching the status codes finds them. A 200 on /swagger.json hands you the entire API surface.
Parsing JSON with jq
# jq is grep/sed/awk for JSON:
curl -s https://api.target.com/users | jq '.' # pretty-print
curl -s https://api.target.com/users | jq '.[].email' # one field, all items
curl -s https://api.target.com/users | jq 'keys' # what fields exist?
# Extract all endpoints from a swagger file:
curl -s https://target.com/swagger.json | jq -r '.paths | keys[]'
jq is the JSON equivalent of awk — it navigates and extracts from JSON cleanly. That last command pulls every path out of a Swagger file: an instant, complete endpoint list. jq 'keys' on a response shows you fields the UI might never display.
GraphQL and introspection
# A GraphQL endpoint often allows introspection — it describes its own schema:
curl -s -X POST https://target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{__schema{types{name}}}"}' | jq '.'
Checkpoint
Why is finding an exposed Swagger/OpenAPI file or working GraphQL introspection so valuable during API recon?
Because it hands you the API's complete self-description: every endpoint or operation, every parameter, and every type — including admin and internal operations the visible UI never exercises. That turns a black-box test into something close to white-box, letting you go straight to testing the full set of operations instead of guessing at endpoints. The undocumented-from-the-UI operations it reveals are often where the real findings are.
Try it yourself
Against an authorised API target, probe a handful of common documentation paths (swagger.json, openapi.json, graphql) and record the status codes. If you find a JSON spec, pipe it through jq to extract the list of endpoints. Then pretty-print one API response with jq and use jq ‘keys’ to see its fields.
Key takeaways
- Probe common paths (swagger.json, openapi.json, graphql) for leaked docs.
- jq is awk for JSON — navigate, extract, and list keys with it.
- jq ‘.paths | keys[]’ on a Swagger file gives the full endpoint list.
- GraphQL introspection describes the whole schema if it’s enabled.
Quick quiz
Next, log analysis — turning server logs into evidence of attacks with the text-processing tools you know.