apihunter 0.1.2

Async API security scanner with passive and active checks for CORS, CSP, GraphQL, JWT, OpenAPI, and API posture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

use std::collections::HashSet;

use tracing::debug;

use crate::{error::CapturedError, http_client::HttpClient};

use super::normalize_path;

/// Interesting response headers that may reveal internal API paths / links
const LINK_HEADERS: &[&str] = &["link", "location", "x-redirect-to", "content-location"];

pub struct HeaderDiscovery<'a> {
    client: &'a HttpClient,
    base_url: &'a str,
    host: &'a str,
}

impl<'a> HeaderDiscovery<'a> {
    pub fn new(client: &'a HttpClient, base_url: &'a str, host: &'a str) -> Self {
        Self {
            client,
            base_url,
            host,
        }
    }

    /// Probe the root URL (GET + HEAD) and extract navigational paths from headers.
    pub async fn run(&self) -> (HashSet<String>, Vec<CapturedError>) {
        let mut paths = HashSet::new();
        let mut errors = Vec::new();

        for probe in &[
            self.client.get(self.base_url).await,
            self.client.head(self.base_url).await,
        ] {
            match probe {
                Ok(resp) => {
                    for key in LINK_HEADERS {
                        if let Some(val) = resp.header(key) {
                            for raw in self.extract_link_targets(val) {
                                if let Some(p) = normalize_path(&raw, self.host) {
                                    paths.insert(p);
                                }
                            }
                        }
                    }
                }
                Err(e) => errors.push(e.clone()),
            }
        }

        debug!("[headers] found {} paths", paths.len());
        (paths, errors)
    }

    /// Parse RFC 5988 Link header values like:
    /// `</api/v2>; rel="next", </docs>; rel="help"`
    fn extract_link_targets(&self, header_val: &str) -> Vec<String> {
        header_val
            .split(',')
            .filter_map(|part| {
                // Extract the <...> URI reference from each link item
                let start = part.find('<')?;
                let end = part.find('>')?;
                if end > start {
                    Some(part[start + 1..end].trim().to_string())
                } else {
                    None
                }
            })
            .collect()
    }
}