SKILL: API Recon and Docs — Endpoints, Schemas, and Version Surface

AI LOAD INSTRUCTION

Use this skill first when the target is a REST, mobile, or GraphQL API and you need to enumerate endpoints, documentation, versions, and hidden surface area before exploitation. 1. PRIMARY GOALS Discover all reachable API entrypoints. Extract schemas, optional fields, and role differences. Identify old versions, mobile paths, GraphQL endpoints, and undocumented parameters. 2. RECON CHECKLIST JavaScript and client mining curl https://target/app.js | grep -oE '(/api|/rest|/graphql)[^"' \ ' ' ]+' | sort -u Common documentation and schema paths /swagger.json /openapi.json /api-docs /docs /.well-known/ /graphql /gql Version and product drift /api/v1/ /api/v2/ /api/mobile/v1/ /legacy/ 3. WHAT TO EXTRACT FROM DOCS optional and undocumented fields admin-only request examples deprecated endpoints that may still be active schema hints like additionalProperties: true parameter names tied to filtering, sorting, IDs, roles, or tenancy 4. NEXT ROUTING Finding Next Skill object IDs everywhere api authorization and bola JWT, OAuth, role claims api auth and jwt abuse GraphQL or hidden fields graphql and hidden parameters strong auth boundary but suspicious business flow business logic vulnerabilities