Finding dynamic API endpoints with Chrome dev tools.

• Intro
• What
  • Dynamic content
• How
  • Memory tab
• Outro

Intro

There are many useful tools in the dev tool section of any modern browser.

I am currently using Chrome so that is what this post will be about.

What

Dynamic content

Most websites these days use JavaScript. 

When you are looking for URLs or Endpoints during the recon stage of an application it can difficult to find paths built at runtime.

If you use a regex to search within a JavaScript file looking for URL. You may not find any useful results as the routes are created dynamically or populated from a config.

How

Memory tab

We will use the Twitter API as an example.

1. Authenticate to your twitter account
2. Browse to Home
3. Press Command+Option+C (Mac) or Control+Shift+C (Windows, Linux, ChromeOS).
4. Go to the Memory tab.
5. Click “Take Snapshot” at the bottom of the page.

Let’s look at the Twitter API endpoints, you will notice that there is several different versions of the Twitter API such as v1.1 and v2. If we can find the specific base path for these APIs, we can use that as a search string in our heap snapshot.

Clicking on one of the API specs examples will give us what we are looking for.

GET /2/tweets/:id

Go back to the Memory tab in Chrome dev tools and press Ctrl-f to search the memory snapshot for “/2/”.

This should reveal readable strings of which some will be random/not what we searched for.

You can keep hitting enter to cycle through the results which should show you a bunch of API endpoints.

For example, here are some I found below.

/2/guide/insert_feedback/trend_not_interested_in_this_feedback_key.json
/2/notifications/feedback.json?main_feedback_type=SeeLessOften
/2/timeline/social_proof.json
/1.1/account/not_my_account/get_masked_data.json
/1.1/videos/

The memory snapshot will contain dynamic content after it has been executed.

You can search for whatever you like for example to discover other API’s you could search for “api.twitter”.

Here are some I found.

https://ads-api.twitter.com
cdn.api.twitter.com
https://api.twitter.com

Use your imagination. 

For example, we know the Twitter API uses the syntax “:some_identifier” to denote an argument to a rest endpoint. .e.g., /2/tweets/:id 

This is the results of searching “:” in the heap snapshot.

/i/reports/:reportId([0-9]+)
/i/birdwatch/u/:alias
/messages/:conversationId([0-9-]+)/group-info

Outro

There is a Burp Suite BApp that will do a regex based search, you can install it if you have Burp Suite Professional.

The BApp is based on this GitHub project which you can run outside of Burp Suite.

I used Twitter as an example, they have a well-documented API.

This technique isn’t limited to searching for API paths.

You can discover all sorts of dynamically created content in the heap snapshot.

Happy hunting.

Back to top