HamzaKhan-Cyber/API-Discovery

# 🔍 API 发现     ``` _ ____ ___ ____ _ / \ | _ \_ _| | _ \(_)___ ___ _____ _____ _ __ _ _ / _ \ | |_) | | | | | | / __|/ __/ _ \ \ / / _ \ '__| | | | / ___ \| __/| | | |_| | \__ \ (_| (_) \ V / __/ | | |_| | /_/ \_\_| |___| |____/|_|___/\___\___/ \_/ \___|_| \__, | |___/ Hidden API Endpoint Finder v2.0 For Authorized Testing Only ``` ## ⚠️ 免责声明 ## ✨ 功能特性 ### 🔎 9 阶段扫描引擎 | 阶段 | 描述 | |-------|-------------| | **阶段 1** | `robots.txt` 与 `sitemap.xml` 解析 — 支持嵌套 sitemap | | **阶段 2** | JavaScript 文件扫描 — 提取 API 路径 + 25 种以上秘密类型 | | **阶段 3** | WAF 检测 (Cloudflare, AWS, Akamai, Sucuri, F5, ModSecurity) | | **阶段 4** | 多线程字典暴力破解 — 内置 700+ API 路径 | | **阶段 5** | 路径验证与 Soft-404 过滤 | | **阶段 6** | CORS 错误配置检测 (CRITICAL / HIGH / MEDIUM) | | **阶段 7** | 严重性评分 — CRITICAL / HIGH / MEDIUM / LOW / INFO | | **阶段 8** | HTTP 方法测试 (GET, POST, PUT, DELETE, PATCH, OPTIONS) | | **阶段 9** | JWT 漏洞测试 — `alg:none` 绕过 + 弱密钥破解 | ### 🛡️ 智能检测 - 通过 `difflib.SequenceMatcher` 进行 **Soft-404 检测** — 消除误报 - **滑动窗口限速检测器** — 遇到 429 自动暂停，检测到 403 模式自动延迟 - **抖动延迟 (Jitter delay)** — 随机时间 (±50%) 以规避 WAF - **认证扫描** — Bearer token, Basic auth, Cookie, 自定义 headers ### 🔐 秘密检测 (25+ 种类型) - AWS Access Keys, GitHub Tokens, Google OAuth, Stripe Keys - JWT Tokens, Slack Webhooks, SendGrid, Mailgun, Twilio - 数据库连接字符串, 硬编码密码, 内部 IP ### 📊 输出格式 - `report.txt` — 人类可读的终端报告 - `report.json` — 机器可读的结构化数据 - `report.md` — 带有严重性表格的 Markdown 报告 ## 📦 安装 ``` # 克隆 repository git clone https://github.com/HamzaKhan-Cyber/API-Discovery.git cd API-Discovery # 安装依赖 pip install -r requirements.txt ``` ### 系统要求 ``` requests beautifulsoup4 colorama urllib3 PyJWT (optional — for JWT testing) ``` ## 🚀 用法 ### 基础扫描 ``` python api_discovery.py -u https://target.com ``` ### 包含所有选项的完整扫描 ``` python api_discovery.py -u https://target.com \ -t 20 \ --delay 1 \ --show-all \ --min-severity INFO \ --version-fuzz ``` ### 认证扫描 ``` # Bearer Token python api_discovery.py -u https://target.com \ --auth-type bearer --auth-token YOUR_TOKEN # 基于 Cookie python api_discovery.py -u https://target.com \ --cookie "session=abc123; csrf=xyz" # 自定义 Header python api_discovery.py -u https://target.com \ --header "X-API-Key: your-key-here" ``` ### 恢复中断的扫描 ``` python api_discovery.py -u https://target.com --resume ``` ### 自定义字典 ``` python api_discovery.py -u https://target.com \ -w /path/to/wordlist.txt ``` ## ⚙️ 所有选项 ``` -u, --url Target base URL (e.g. https://example.com) -t, --threads Concurrent threads (default: 10) -w, --wordlist Custom wordlist path --timeout Request timeout in seconds (default: 5) --delay Delay between requests (default: 0) --show-all Show all severity levels in detail --min-severity Minimum severity to display (CRITICAL/HIGH/MEDIUM/LOW/INFO) --no-js Skip JavaScript scanning --no-robots Skip robots.txt / sitemap.xml --no-brute Skip wordlist bruteforce --version-fuzz Fuzz discovered paths with API version variants (v1-v5, beta, latest) --resume Resume interrupted scan --auth-type Auth type: bearer / basic / cookie / custom --auth-token Auth credentials --cookie Cookie header value --header Custom header (repeatable) --waf-aggressive Aggressive WAF detection with payloads -o, --output Output filename without extension (default: api_discovery_report) ``` ## 📸 输出示例 ### 扫描配置 ``` ╔════════════════════════════════════════════════════════╗ ║ SCAN CONFIGURATION ║ ╚════════════════════════════════════════════════════════╝ [*] Target URL : https://juice-shop.herokuapp.com [*] Threads : 10 [*] Timeout : 5s [*] Status Codes : 200,201,301,302,403,405,500 ``` ### 发现的秘密 ``` [!] SECRET FOUND in main.js Type : Google OAuth Value : 1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq... [!] SECRET FOUND in main.js Type : Generic Secret / Password Value : IamUsedForTesting ``` ### 严重性摘要 (OWASP Juice Shop) ``` ╔══════════════════════════════════════════╗ ║ SEVERITY SUMMARY ║ ╠══════════════════════════════════════════╣ ║ [CRITICAL] 61 ║ ║ [HIGH] 58 ║ ║ [MEDIUM] 18 ║ ║ [LOW] 274 ║ ║ [INFO] 23 ║ ╠══════════════════════════════════════════╣ ║ Total 434 ║ ╚══════════════════════════════════════════╝ ``` ### CORS 发现 ``` [CORS-HIGH] rest/admin/application-configuration Wildcard (*) Access-Control-Allow-Origin — any site can read responses [CORS-HIGH] support/logs Wildcard (*) Access-Control-Allow-Origin — any site can read responses ``` ### 发现的关键端点 ``` [CRITICAL] [200] /rest/admin/application-version Source: bruteforce Reason: Contains keyword: admin | Status 200: publicly accessible [CRITICAL] [200] /rest/admin/application-configuration Source: bruteforce Reason: Contains keyword: admin | Status 200: publicly accessible ``` ## 🗂️ 项目结构 ``` API-Discovery/ ├── api_discovery.py # Main entry point ├── requirements.txt # Dependencies ├── wordlists/ │ └── api_paths.txt # Built-in wordlist (700+ paths) └── core/ ├── bruteforcer.py # Multi-threaded brute-force + WAF detection ├── cors_scanner.py # CORS misconfiguration detection ├── crawler.py # robots.txt, sitemap, JS discovery ├── display.py # Colored terminal output ├── js_scanner.py # JavaScript secret + path extraction ├── jwt_tester.py # JWT vulnerability testing └── severity.py # Endpoint severity scoring engine ``` ## 🧪 测试对象 | 目标 | 发现结果 | |--------|----------| | OWASP Juice Shop | 434 个端点 — 61 个 CRITICAL, 2 个秘密, 31 个 CORS 错误配置 | | DVWA | ✅ 已测试 | | HackTheBox Labs | ✅ 已测试 | ## 👤 作者 **Hamza Khan** - GitHub: [@HamzaKhan-Cyber](https://github.com/HamzaKhan-Cyber) - LinkedIn: [hamza-khan-908590287](https://linkedin.com/in/hamza-khan-908590287) - Medium: [@Senapi_9](https://medium.com/@Senapi_9) ## 📄 许可证 MIT 许可证 — 详情见 [LICENSE](LICENSE)。 *仅供授权安全测试和教育用途构建。*

标签：API 发现, API 安全, BeEF, CISA项目, CORS, JavaScript 分析, JWT, Kali Linux 工具, LLM应用, Python, WAF 绕过, Web 安全, 域名收集, 密码管理, 数据展示, 无后门, 爬虫, 红队, 网络安全, 聊天机器人, 路径爆破, 逆向工具, 隐私保护