Regex › API Recon and Endpoint Discovery
Extracting API endpoints and parameters
APIs reveal themselves in text — in bundle code, in logs, in traffic dumps. Regex is how you extract every endpoint, parameter, and route at scale. This lesson covers the patterns that turn raw text into an API map.
You'll learn to
- Extract quoted API paths from code
- Pull parameter names from URLs
- Recognise route-definition patterns
Endpoints in quoted strings
Match quoted API-looking paths in JS:
["'`](/(?:api|v[0-9]+|graphql|rest)/[A-Za-z0-9_./-]+)["'`]
This finds "/api/users", "/v1/orders/123", "/graphql" inside bundle code.
API calls in code are quoted path strings starting with a recognisable prefix (/api/, /v1/, /graphql). Anchoring on those prefixes plus the surrounding quotes extracts them cleanly while ignoring unrelated strings.
Parameters from URLs
Extract parameter NAMES from a pile of URLs:
[?&]([a-zA-Z0-9_]+)=
Applied across thousands of historical URLs, this yields the real
parameter wordlist the application uses.
A parameter appears after ? or & and before =. Capturing that name across many URLs builds a target-specific parameter list — far better for fuzzing than a generic wordlist, because it’s what the app actually uses.
Route definitions
Frameworks declare routes in recognisable shapes:
app.get("/path") router.post('/path') @app.route("/path")
Pattern: (?:get|post|put|delete|route)\s*\(\s*["'`]([^"'`]+)["'`]
Checkpoint
Why is a parameter wordlist extracted from a target's own URLs more useful for fuzzing than a generic one?
Because it contains the exact parameter names the target application actually uses, captured from its real URLs, rather than generic guesses. Fuzzing with real, observed parameters tests the application's genuine surface and is far more likely to reach live functionality and hidden parameters than a one-size-fits-all list. It's intelligence the application itself produced, so it reflects how this specific app is built.
Try it yourself
Write a pattern that captures a parameter name appearing after a question-mark or ampersand and before an equals sign. Apply it mentally to a few sample URLs with query strings and list the parameter names it would extract. Then describe how you’d dedupe those into a wordlist.
Key takeaways
- Quoted paths with /api or /v1 prefixes extract endpoints from code.
- A parameter sits after ? or & and before = — capture the name across URLs.
- Route-definition patterns find framework-declared paths.
- Code-only endpoints not used by the UI are the high-value finds.
Quick quiz
Next, Burp Suite regex workflows — match-and-replace, scope, and response filtering.