Description
While exploring the modules, I noticed that Swagger/OpenAPI is currently only detected through passive technology fingerprinting in web_technologies.yaml (for example detecting swagger-ui-bundle.js).
However, many applications expose Swagger/OpenAPI documentation through predictable endpoints that are commonly used during reconnaissance, such as:
- /swagger-ui.html
- /swagger
- /swagger-ui/
- /api-docs
- /v3/api-docs
- /swagger.json
- /openapi.json
These endpoints can sometimes expose full API schemas and unauthenticated routes.
Proposal
Add these common Swagger/OpenAPI paths to the payload wordlists used by modules such as:
This would allow the scanner to actively probe for exposed API documentation endpoints instead of relying only on passive fingerprinting.
Benefits
- Expands API reconnaissance coverage
- Helps identify exposed API documentation
- May reveal unauthenticated API endpoints during recon
Implementation
This should be a relatively small change by extending the relevant wordlists with the endpoints listed above.
If this approach looks good, I’d be happy to work on implementing it.
Description
While exploring the modules, I noticed that Swagger/OpenAPI is currently only detected through passive technology fingerprinting in
web_technologies.yaml(for example detectingswagger-ui-bundle.js).However, many applications expose Swagger/OpenAPI documentation through predictable endpoints that are commonly used during reconnaissance, such as:
These endpoints can sometimes expose full API schemas and unauthenticated routes.
Proposal
Add these common Swagger/OpenAPI paths to the payload wordlists used by modules such as:
dir_scanconfig_scanThis would allow the scanner to actively probe for exposed API documentation endpoints instead of relying only on passive fingerprinting.
Benefits
Implementation
This should be a relatively small change by extending the relevant wordlists with the endpoints listed above.
If this approach looks good, I’d be happy to work on implementing it.