API security is often viewed through the lens of traditional vulnerability testing—identifying issues like authentication flaws, IDORs, or mass assignment vulnerabilities. But what if you could take your API hacking skills to the next level by leveraging Open-Source Intelligence (OSINT)? In a recent webinar hosted at APISEC | CON Testing 2024, Ben “Nahamsec” Sadeghipour explored how OSINT can serve as a powerful tool for API hacking, uncovering hidden endpoints, sensitive data leaks, and attack surface expansion strategies.

The Typical API Hacking Approach

Most security professionals start API testing with the conventional methods: probing for vulnerabilities using known API documentation, traffic analysis, and brute-forcing requests. However, these approaches require access to an application’s frontend or API specification—what happens when that information isn’t available?

That’s where OSINT techniques come in. By gathering publicly accessible data from sources like Google, GitHub, and Postman, security researchers can identify APIs that organizations may not even realize are exposed.

Leveraging Google and GitHub for OSINT

One of the simplest yet most effective OSINT techniques is Google Dorking. By crafting specific search queries, attackers can find publicly indexed API endpoints, credentials, and even production configurations. Ben demonstrated how a query like:

site:example.com inurl:api "production"

can reveal valuable API data that shouldn’t be public.

Beyond Google, GitHub is a goldmine of leaked secrets and API paths. Many developers unknowingly expose sensitive information in public repositories, offering attackers an opportunity to identify subdomains, API routes, and even authentication credentials.

Case Study: Uncovering Hidden API Endpoints

In one of Ben’s bug bounty engagements, he discovered a fintech company with a vast digital footprint across multiple countries. While initial reconnaissance turned up little information, a deeper dive into GitHub revealed various subdomains and API routes that weren’t linked anywhere else online.

By searching for:

org:company-name filename:config.json

Ben identified API endpoints hidden from traditional reconnaissance methods. Further GitHub searches led to leaked environment files containing credentials, allowing unauthorized access to sensitive systems.

The Role of Postman in API Hacking

Another underutilized OSINT resource is Postman. Many organizations upload API collections to postman.com, sometimes without realizing that they are publicly accessible. By searching Postman’s API repository, Ben found internal API specifications, authentication tokens, and request headers that could be exploited in attacks.

In one case, a security team had locked down their main API portal behind an SSO login, preventing unauthorized users from accessing it. However, an exposed Postman collection contained API requests that bypassed the SSO check, allowing full access to internal tools.

Extending the Attack Surface with OSINT

One of the key takeaways from Ben’s talk was the importance of continuously asking, “What else can I do?”

For instance, after finding an exposed API, instead of stopping at leaked credentials, he looked deeper into GitHub repositories to find forgotten test accounts. When a login page required a username, instead of brute-forcing it, he used AI tools to generate likely usernames based on local naming conventions.

By combining OSINT with traditional API hacking, he was able to:

• Identify and exploit vulnerable endpoints hidden from automated scanners.
• Find sensitive credentials stored in public repositories.
• Use Postman collections to bypass authentication restrictions.
• Expose internal APIs by analyzing naming patterns and company infrastructure.

Conclusion

The combination of OSINT and API hacking is a game-changer for security professionals. By looking beyond standard security assessments and embracing public intelligence sources, researchers can uncover hidden vulnerabilities and expand their attack surface significantly.

If you’re interested in pushing the boundaries of API security, integrating OSINT techniques into your methodology is a must. As Ben demonstrated, sometimes the most valuable information isn’t hidden deep within an application—it’s publicly available, waiting to be found.

For more insights go watch Ben’s talk: https://youtu.be/7OmMTFRRzXs

Follow Ben on Nahamsec.com and stay tuned for more upcoming API security webinars from APIsec University.