API Security · beginner · ~9 min
Use OpenAPI/Swagger and Postman to map an API and find hidden endpoints.
Discovery maps the API: OpenAPI/Swagger, Postman collections, and GraphQL introspection describe endpoints/params/schemas (often exposed); client JS, fuzzing, old versions, and undocumented methods reveal the rest. The map drives the BOLA/BFLA/mass-assignment/rate-limit tests.
Complete endpoint discovery is the prerequisite for testing authorization on every object and function; missed endpoints are untested attack surface. Exposed docs/introspection are also findings in their own right.
Doc sources. Swagger/OpenAPI, Postman, GraphQL introspection. Beyond docs. Client JS/traffic, fuzzing, version sprawl, undocumented methods. Map → tests. Params/objects/roles feed BOLA/BFLA/mass-assignment. Finding. Exposed prod docs/introspection.
You can't test what you can't see. Discovery turns an opaque API into a complete, testable map.
/swagger.json, /openapi.json, /swagger-ui) describe every endpoint, parameter, and schema — gold for testing, and often left publicly exposed.Docs rarely list everything. Also:
ffuf) and parameters; try other versions (/v1→/v2, deprecated /v0) which may have weaker checks.For every discovered endpoint: note its parameters, the objects it touches, and the role it expects — then run the authorization tests (BOLA/BFLA), mass-assignment checks, and rate-limit checks from this track. The schema also reveals field names to try in mass-assignment.
Exposed production Swagger, enabled GraphQL introspection, and live deprecated versions are themselves findings — they hand attackers the map.
API testing starts with discovery — Swagger/OpenAPI, Postman, introspection, plus client traffic and fuzzing — to build a complete endpoint map that the authorization, mass-assignment, and rate-limit tests then exercise.