π°οΈ Comprehensive API Discovery & Security Testing
Find hidden APIs, fingerprint authentication models, and surface IDOR, mass assignment, GraphQL, CORS, and HTTP smuggling vulnerabilities β built for bug bounty hunters, red teamers, and security researchers.
APIHunter is a comprehensive API discovery and security testing tool written in Go. It extracts endpoints from JavaScript bundles, OpenAPI/Swagger specs, Android APKs, HAR captures, and live crawling β then runs targeted security checks (IDOR, auth bypass, mass assignment, rate limiting, GraphQL introspection, CORS misconfiguration, HTTP smuggling, OpenAPI mismatch) against everything it finds.
APIHunter β discover APIs, fingerprint them, scan them.
- About
- Features
- Installation
- Quick Start
- Usage Examples
- Command Reference
- Advanced Usage
- Contributing
- License
- Support
- π Multi-Source API Discovery: JavaScript (AST + regex), OpenAPI v2/v3, Android APK, HAR traffic, live crawling
- π Authentication Fingerprinting: Bearer tokens, API keys, session cookies β plus role separation (admin/user/public)
- π‘οΈ Eight Security Check Classes: IDOR, auth bypass, mass assignment, rate limiting, GraphQL, CORS, HTTP smuggling, OpenAPI mismatch
- β‘ High-Performance Scanning: Concurrent worker pools with configurable rate limiting and timeouts
- π Stealth Operations: Proxy support, custom workers, deliberate request pacing for sensitive engagements
Pull APIs from where they actually live β JS bundles, mobile apps, traffic captures, and docs.
- π― AST-Based JavaScript Parsing: Catches
fetch(),axios,XMLHttpRequest, GraphQL queries that regex misses - π’ Mobile App Extraction: Pull endpoints directly from Android APK files
- π§ Versioning Detection: Identifies API versions in paths, headers, or query parameters
- π Environment Leak Detection: Surfaces dev, staging, and production environments in discovered endpoints
Eight check classes that map to real bug bounty payouts
Authorization & Access:
- π IDOR Detection (
--idor): Insecure direct object reference checks across discovered endpoints - π« Auth Bypass (
--auth): Missing or optional authentication on protected routes - π₯ Mass Assignment (
--mass): Extra JSON field acceptance for privilege escalation
Rate & Volume:
- β±οΈ Rate Limiting (
--rate): Burst and token-based rate limit tests - π GraphQL (
--graphql): Introspection enabled, missing depth limits, batched query abuse - π‘οΈ CORS (
--cors): Wildcard origins, credentialed wildcard misconfigurations
Protocol-Level:
- π HTTP Smuggling (
--smuggle): Header confusion vulnerability checks - π OpenAPI Mismatch (
--openapi-mismatch): Documentation vs reality comparison for shadow endpoints
π― Pro tip: Combine multiple checks for maximum coverage β
apihunter scan -u target --js --idor --auth --rate --graphql --cors
Production-grade HTTP layer
- π Proxy Support (
--proxy): Burp Suite and other intercepting proxies - β‘ Concurrent Workers (
--workers): Tunable worker pool, default 50 - β±οΈ Rate Limiting (
--rate-limit): Requests per second cap - β° Custom Timeouts (
--timeout): Per-request timeout tuning - π Stealth Mode (
--stealth): Slower, randomized pacing - π§ Auth Tokens (
--auth-token): Bearer / API key headers for authenticated scans
Three formats for three audiences
- π₯οΈ Table (default): Color-coded console output
- π JSON (
--format json): Machine-readable for automation pipelines - π΄ Burp Suite Export: Direct import for manual follow-up testing
go install -v github.com/cc1a2b/APIHunter/cmd/apihunter@latest
apihunter --helpgit clone https://github.com/cc1a2b/APIHunter.git
cd APIHunter
go build -o apihunter ./cmd/apihunterDownload pre-built binaries from the Releases page.
- Go 1.21+ (for building from source)
- Linux, macOS, or Windows (64-bit)
- Network access to the target
apihunter extract --js https://target.com/app.js -o endpoints.jsonapihunter extract --openapi swagger.json -o endpoints.json
apihunter extract --har traffic.har -o endpoints.jsonapihunter scan \
-u https://api.target.com \
--js \
--idor --auth --rate \
-o report.json# Basic discovery and scan
apihunter scan -u https://api.target.com --js --idor --auth --rate -o report.json
# Authenticated scan
apihunter scan \
-u https://api.target.com \
--auth-token "Bearer eyJ..." \
--idor --mass \
-o report.json
# Multi-target sweep
apihunter scan \
-l targets.txt \
--graphql --cors \
-o report.json
# Stealth scan through Burp
apihunter scan \
-u https://api.target.com \
--js --idor --auth --rate --graphql --cors \
--stealth \
--proxy http://127.0.0.1:8080 \
--workers 50 \
--rate-limit 10 \
--timeout 8s \
--format json \
-o report.json
# Mobile app endpoint extraction
apihunter extract --apk app.apk -o mobile-endpoints.jsonUsage:
apihunter <command> [flags]
Commands:
extract Pull endpoints from a source without scanning
scan Discover + scan target(s)
version Show version
Input Sources:
-u, --url URL Target URL
-l, --targets-file FILE File of target URLs
--js Extract from JavaScript bundles
--openapi FILE Parse OpenAPI v2/v3 spec
--har FILE Parse HAR traffic capture
--apk FILE Extract from Android APK
Security Checks:
--idor IDOR detection
--auth Auth bypass detection
--mass Mass assignment detection
--rate Rate limiting tests
--graphql GraphQL introspection + depth tests
--cors CORS misconfiguration checks
--smuggle HTTP smuggling header confusion
--openapi-mismatch Compare OpenAPI vs live behaviour
HTTP & Performance:
--auth-token TOKEN Authorization header value
--workers INT Concurrent worker pool (default: 50)
--rate-limit INT Max requests per second
--timeout DUR Per-request timeout (e.g. 8s)
--proxy URL HTTP/HTTPS/SOCKS proxy
--stealth Slower, evasive scanning
Output:
--format FMT table | json | burp
-o, --output FILE Output path
-v, --verbose Detailed output
-h, --help Show help
# 1. Discover everything
apihunter extract --js https://target.com/app.js -o js-apis.json
apihunter extract --har capture.har -o har-apis.json
# 2. Scan the merged set with full check suite
apihunter scan -l discovered.txt \
--idor --auth --mass --rate --graphql --cors --smuggle --openapi-mismatch \
--proxy http://127.0.0.1:8080 \
--workers 30 --rate-limit 5 \
-o full-report.json
# 3. Re-run only IDOR with elevated auth tokens
apihunter scan -l discovered.txt \
--idor --auth-token "Bearer $LOW_PRIV_TOKEN" \
-o idor-report.json# Nightly scan on merge to main
apihunter scan -u https://api.staging.example.com \
--js --openapi-mismatch --cors --rate \
--format json -o "scan-$(date +%F).json"Contributions welcome.
- π Report bugs via GitHub Issues
- π‘ Suggest features or new check classes
- π Improve documentation
- π§ Submit pull requests with new extractors or detectors
git clone https://github.com/cc1a2b/APIHunter.git
cd APIHunter
go mod tidy
go build -o apihunter ./cmd/apihunterAPIHunter is released under the MIT License. See LICENSE for details.
Copyright (c) 2025-2026 Hussain Alsharman
Licensed under MIT License β free for commercial and personal use
If APIHunter helps with your security research:
β Star this repo β’ π¦ Follow @cc1a2b β’ π’ Share with the security community
π°οΈ APIHunter β Comprehensive API Discovery & Security Testing
Built with β€οΈ by cc1a2b for the security community