# API

APIs enable software systems and applications to communicate and share data.

**Types**:

* RESTful
* JSON

## API Documentation

* `/api`
* `/swagger/index.html`
* `/openapi.json`

You can use Burp Scanner to crawl and audit OpenAPI documentation, or any other documentation in JSON or YAML format. You can also parse OpenAPI documentation using the [OpenAPI Parser](https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c) BApp.\
You may also be able to use a specialized tool to test the documented endpoints, such as [Postman](https://www.postman.com/) or [SoapUI](https://www.soapui.org/).

## API Brute Force

```
http://DOMAIN.COM/<TO_FIND>/v1
http://DOMAIN.COM/<TO_FIND>/v2
```

## Attacks

* Potentially all web attacks
* Try with parameter pollution (`#`, `&`, and `=`)&#x20;
* Some parameters can be used to call url API server side, try with [Path Traversal](https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/file-inclusion-path-traversal).