// recon knowledge base

ReconAtlas  /  checklists  /  endpoint-discovery

Endpoint Discovery

Mapping MED v1.0.0 updated 2026-04-04

Uncover hidden routes, API endpoints, and web resources by combining passive URL harvesting with active directory brute-forcing and JavaScript analysis.

Tools

gauwaybackurlskatanaferoxbusterffufgospiderlinkfinder

Machine-readable JSON available at:

https://reconatlas.pages.dev/api/checklists/endpoint-discovery

Tags

mappingwebapidirectory-brute-forcejs-analysishistorical-urls

// checklist steps

endpt-01

Historical URL harvesting

Pull URLs from the Wayback Machine, Common Crawl, and other passive sources.

gau --threads 5 target.com | tee gau-urls.txt
waybackurls target.com >> gau-urls.txt
sort -u gau-urls.txt -o historical-urls.txt

Historical URLs often reveal deprecated API versions, internal paths, and files that were never meant to be public.

endpt-02

Active crawling

Spider live pages to discover endpoints that passive sources miss.

katana -u https://target.com -depth 3 -js-crawl -o katana-urls.txt
gospider -s https://target.com -d 3 -o gospider-out/

endpt-03

Directory and path brute-force

Brute-force common paths and directories using curated wordlists.

feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js,json,xml -o ferox-out.txt
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302,403 -o ffuf-out.json

Filter by response size and content type to cut down false positives. Use -fc to exclude known noise.

endpt-04

JavaScript endpoint extraction

Parse JavaScript files to extract hardcoded API routes, secrets, and internal endpoints.

cat historical-urls.txt katana-urls.txt | grep '\.js$' | sort -u > js-files.txt
cat js-files.txt | while read url; do python3 linkfinder.py -i $url -o cli; done
nuclei -l js-files.txt -t exposures/tokens/ -o js-secrets.txt

endpt-05

Parameter discovery

Fuzz discovered endpoints for hidden query parameters.

cat historical-urls.txt | unfurl keys | sort -u > known-params.txt
ffuf -u 'https://target.com/api/users?FUZZ=test' -w known-params.txt -mc 200 -o param-fuzz.json
arjun -u https://target.com/api/users -oJ arjun-params.json

Overview

Endpoint discovery builds a comprehensive map of the application’s web surface. Attackers who invest time in thorough mapping consistently find more high-severity vulnerabilities than those who jump straight to testing.

Combining sources

No single source gives a complete picture. Combine:

  1. Passive sources (Wayback, gau) — historical depth, no noise
  2. Active crawling (katana) — current application state
  3. Brute-force (feroxbuster, ffuf) — paths not linked anywhere
  4. JavaScript analysis (linkfinder) — internal routes, API keys

What to watch for

  • Versioned API paths (/v1/, /v2/, /api/internal/)
  • Admin and management interfaces
  • File extensions that shouldn’t be public (.env, .bak, .git/config)
  • GraphQL introspection endpoints (/graphql, /api/graphql)

// references

  1. https://github.com/lc/gau
  2. https://github.com/projectdiscovery/katana
  3. https://github.com/epi052/feroxbuster
  4. https://github.com/ffuf/ffuf
  5. https://github.com/GerbenJavado/LinkFinder
← All checklists JSON ↗