Anthropic-Cybersecurity-Skills/skills/performing-api-inventory-and-discovery/references/api-reference.md

API Inventory and Discovery — API Reference

Libraries

Library	Install	Purpose
requests	pip install requests	HTTP probing and spec fetching

Common API Discovery Paths

Path	Description
/api/v1, /api/v2	Versioned REST API roots
/swagger.json	Swagger 2.0 specification
/openapi.json	OpenAPI 3.x specification
/graphql	GraphQL endpoint
/graphiql, /playground	GraphQL IDE (introspection enabled)
/api-docs, /docs	API documentation page
/.well-known/openid-configuration	OIDC discovery
/health, /metrics	Health/monitoring endpoints

OpenAPI Spec Parsing

import requests
spec = requests.get("https://target.com/openapi.json").json()
for path, methods in spec["paths"].items():
    for method, details in methods.items():
        print(f"{method.upper()} {path} deprecated={details.get('deprecated', False)}")

JavaScript API Extraction Patterns

Pattern	Matches
fetch("/<path>")	Fetch API calls
axios.get("/<path>")	Axios HTTP calls
"/api/v1/<resource>"	String literal API paths
"/v2/<resource>"	Versioned API references

API Risk Classification

Category	Risk	Examples
Admin/Internal	HIGH	/admin/api, /internal/
GraphQL exposed	HIGH	/graphql with introspection
Documentation public	MEDIUM	/swagger.json, /api-docs
Deprecated/zombie	HIGH	Deprecated but still responding
Standard versioned	LOW	/api/v2/users

OWASP API9:2023 — Improper Inventory Management

Issue	Description
Shadow APIs	Undocumented endpoints deployed without review
Zombie APIs	Deprecated versions still accessible
Missing authentication	Endpoints skipping auth middleware
Version sprawl	Multiple API versions maintained simultaneously

External References

• OWASP API Security Top 10
• Swagger/OpenAPI Spec
• Kiterunner API Discovery