In API security testing, the first rule is simple: know your target before you touch it. Passive reconnaissance lets you map an API’s attack surface without sending a single probe. By harvesting open-source intelligence (OSINT), you can uncover endpoints, docs, credentials, and even instant wins like leaked API keys— all from public sources. This approach shines in banking audits, where RBI/NPCI compliance demands thorough recon before active scans.
Think of it as scouting a fortress from afar: spot weak walls (exposed endpoints), forgotten gates (zombie APIs), and lost keys (secrets) without alerting the guards.
Mastering Passive API Reconnaissance – Breakthrough
Your goal? Document the API’s business purpose, versions, endpoints, and docs. In FinTech, this reveals logic flaws in payment gateways or KYC flows. High-value finds include:
- Exposed secrets (API keys, JWTs) for instant admin access.
- Leaked PII (Aadhaar, PAN, emails) demanding immediate reporting.
- Version info flagging CVEs, like outdated OAuth in UPI apps.
Report critical exposures right away—they’re often OWASP API Top 10 violations like Broken Authentication.
Technique 1: Google Dorking for Quick Wins
Start with plain searches like “Reddit API docs,” then refine with dorks for precision.
| Google Dork | Purpose | Example Results |
|---|---|---|
inurl:"/wp-json/wp/v2/users" | WordPress user APIs | Public user directories |
intitle:"index.of" intext:"api.txt" | Exposed API files | Leaked key lists |
inurl:"/api/v1" intext:"index of /" | API directories | Open folders with endpoints |
ext:php inurl:"api.php?action=" | XenAPI SQLi vulns | 141K+ hits (even in 2026) |
intitle:"index of" api_key OR "api key" OR apiKey -pool | Leaked keys | Instant secrets |
Pro Tip for India: Dork inurl:"/upi/api" site:*.in to find NPCI-exposed UPI endpoints.
Technique 2: GitDorking on GitHub
Developers leak gold on GitHub. Search [target] "api key" OR token OR "authorization: Bearer", then dive into tabs.
- Code Tab: Ctrl+F for “secret”; check History for removed keys (use Split view for diffs). Example: Spot a hardcoded Razorpay API key in a commit.
- Issues Tab: Open issues often flag live bugs, like “API key exposed in frontend.”
- Pull Requests: Unmerged changes reveal ongoing fixes—test before they merge.
Profile the target: Note languages (Node.js?), endpoints (/v1/payments), and docs.
Automate with TruffleHog:sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=paytm
Scans for secrets across repos; extend to GitLab or S3 for full coverage. (Docs: TruffleHog GitHub)
Technique 3: Shodan for Exposed Services
Shodan indexes internet-facing devices. Search by domain/IP for APIs.
| Shodan Query | Purpose |
|---|---|
hostname:"paytm.com" | Target-specific basics |
"content-type: application/json" | JSON APIs |
"content-type: application/xml" + 200 OK | Successful XML endpoints |
"wp-json" | WordPress APIs |
Combine for gold: hostname:"phonepe.com" "content-type: application/json" "200 OK". Ideal for auditing exposed RBI-mandated APIs.
Technique 4: Wayback Machine for Zombie APIs
Archive.org snapshots reveal history. Check old landing pages for hidden partner APIs or docs changes. Hunt zombie endpoints (Improper Assets Management, OWASP Top 10)—retired but live paths like /api/v1/old-kyc.
Example Workflow:
- Enter target URL.
- Compare snapshots (e.g., 2023 vs. 2026).
- Test old endpoints actively later.
Key Takeaways and Next Steps
Passive recon builds your API blueprint ethically and efficiently. Tools like these have exposed secrets in major FinTech leaks—use them for RBI audits or pentests.
Next up: Active recon to probe those endpoints. Always document for compliance reports.
What API target or regulation (e.g., NPCI UPI) should I cover in the active recon post?