April 2, 2025
Zero to Pro The Ultimate Guide to CDX API for Your Bug Bounty Recon Journey: Let’s talk about the…
Photo by Giulia May on Unsplash

By Akash Ghosh
4 min read
🔎 Why CDX API is a Game-Changer for You
Bug bounty hunters thrive on reconnaissance, and the Wayback Machine's CDX API is one of the most powerful tools for historical data gathering. It allows researchers to retrieve archived URLs, old JavaScript files, forgotten API endpoints, and even subdomains — all without touching the target server. This makes it an invaluable resource for finding exposed credentials, outdated endpoints, and vulnerable functionalities that companies may have forgotten.
In this guide, we'll cover advanced CDX API usage, automation tools, filtering techniques, and real-world applications to supercharge your bug bounty recon. 🚀
📌 You need to know that 'What is the CDX API…..Right?'
The Capture Index (CDX) API is a feature of the Wayback Machine that provides structured access to archived records of websites. It helps bug bounty hunters retrieve past snapshots of web pages, which can reveal:
- Old API endpoints that may still be active
- JavaScript files containing exposed secrets
- Deprecated admin panels & authentication mechanisms
- Subdomains that no longer exist in DNS but are still functional
- Input fields vulnerable to XSS, SQLi, or SSRF attacks
🔗 CDX API Base URL:
https://web.archive.org/cdx/search/cdxhttps://web.archive.org/cdx/search/cdx🔥 Now Let's start with Some Advanced CDX API Commands for Recon
1️⃣ Retrieve All Archived URLs for a Target
curl "https://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey"curl "https://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey"📌 What it does: Fetches all unique URLs that have ever been archived for example.com.
2️⃣ Extract JavaScript Files for API Keys & Tokens
curl "https://web.archive.org/cdx/search/cdx?url=example.com/*.js&output=text&fl=original"curl "https://web.archive.org/cdx/search/cdx?url=example.com/*.js&output=text&fl=original"📌 What it does: Finds archived JavaScript files that may contain hardcoded API keys, secrets, or internal endpoints.
3️⃣ Find Input Parameters for Injection Testing
echo "example.com" | waybackurls | grep '?'echo "example.com" | waybackurls | grep '?'📌 What it does: Extracts URLs with query parameters, useful for SQL Injection, XSS, and SSRF testing.
4️⃣ Find Old Web Pages & Hidden Endpoints by Year
curl "https://web.archive.org/cdx/search/cdx?url=example.com/*&from=20150101&to=20250318&output=text&fl=original"curl "https://web.archive.org/cdx/search/cdx?url=example.com/*&from=20150101&to=20250318&output=text&fl=original"📌 What it does: Retrieves URLs archived between 2015 and 2025, which may reveal old unpatched vulnerabilities
5️⃣ Extract Subdomains Using the Wayback Machine
https://web.archive.org/cdx/search/cdx?url=*.example.com&fl=original&collapse=urlkey&output=texthttps://web.archive.org/cdx/search/cdx?url=*.example.com&fl=original&collapse=urlkey&output=text📌 What it does: Enumerates subdomains from archived records, helping identify forgotten assets and internal systems.
6️⃣ Fetch Specific File Types (JSON, XML, PHP, etc.)
https://web.archive.org/cdx/search/cdx?url=example.com/*.json&output=text&fl=originalhttps://web.archive.org/cdx/search/cdx?url=example.com/*.json&output=text&fl=original📌 What it does: Fetches archived JSON files, which may contain API responses, authentication tokens, and sensitive configurations.
⚡ Automating Recon with CDX API Tools
🔹 waybackurls — Quick Archive Extraction
go install github.com/tomnomnom/waybackurls@latest
echo "example.com" | waybackurls
echo "example.com" | waybackurls > output.txt ## for save as outputgo install github.com/tomnomnom/waybackurls@latest
echo "example.com" | waybackurls
echo "example.com" | waybackurls > output.txt ## for save as output📌 Why use it? Extracts Wayback Machine URLs efficiently and eliminates duplicates.
🔹 waymore — Advanced Wayback Machine Recon
git clone https://github.com/xnl-h4ck3r/waymore.git
cd waymore
pip install -r requirements.txt
python waymore.py -i exampythple.comgit clone https://github.com/xnl-h4ck3r/waymore.git
cd waymore
pip install -r requirements.txt
python waymore.py -i exampythple.com📌 Why use it? Provides better filtering, bulk scanning, and automation for Wayback recon.
🔹 gau — Collect URLs from Multiple Sources
go install github.com/lc/gau/v2/cmd/gau@latest
echo "example.com" | gaugo install github.com/lc/gau/v2/cmd/gau@latest
echo "example.com" | gau📌 Why use it? Finds URLs, endpoints, and subdomains from Wayback, Common Crawl, and other sources.
🛠️ Real-World Bug Bounty Use Cases
✅ Discovering Forgotten Admin Panels — Historical archives may expose /admin, /dashboard, or internal portals that were later removed but still accessible.
✅ Finding Deprecated APIs — Many APIs are abandoned but still operational. CDX API helps locate API endpoints used in older versions of a website.
✅ Uncovering Hardcoded Secrets — JavaScript files stored in the archive may still contain API keys, credentials, or authentication tokens.
✅ Enumerating Old Subdomains — Subdomains that were once public but removed from DNS records might still be active internally.
✅ Identifying XSS & Injection Points — Historical archives may contain old, insecure forms or query parameters vulnerable to Cross-Site Scripting (XSS) and SQL Injection.
🏆 Pro Tips for Bug Bounty Hunters Using CDX API
🔹 Use Regular Expressions to Filter Results — Extract only the relevant paths, file types, or parameters from the results.
curl "https://web.archive.org/cdx/search/cdx?url=example.com/*&output=text" | grep -E 'login|admin|config'curl "https://web.archive.org/cdx/search/cdx?url=example.com/*&output=text" | grep -E 'login|admin|config'🔹 Combine CDX API with Other Recon Tools — Use it alongside Subfinder, Amass, and Assetfinder for maximum coverage.
subfinder -d example.com | xargs -I {} curl "https://web.archive.org/cdx/search/cdx?url=*.{}/*&output=text"subfinder -d example.com | xargs -I {} curl "https://web.archive.org/cdx/search/cdx?url=*.{}/*&output=text"🔹 Look for Old Login Pages for Credential Reuse Attacks — If an old login.php file is archived, users may still have accounts on it!
curl "https://web.archive.org/cdx/search/cdx?url=example.com/login.php&output=text"curl "https://web.archive.org/cdx/search/cdx?url=example.com/login.php&output=text"🚀 Why Every Bug Hunter Should Use CDX API
CDX API is an underrated goldmine for recon. It allows you to dig into historical web data, find hidden attack surfaces, and discover vulnerabilities that modern scanners miss. By leveraging archived information, you can locate forgotten assets, unpatched endpoints, and misconfigured APIs — all while staying passive and stealthy. 🔥
Let's Connect and Hack the planet Together 🌍
I love sharing my bug bounty journey, recon tips, and security insights in my Twitter please follow me for more you need to know. If you found this helpful, let's stay connected:
🐦 Twitter/X: https://twitter.com/myselfakash20 💼 LinkedIn: https://linkedin.com/in/myselfakash20 💻 GitHub: https://github.com/myselfakash20
If you find anything wrong in this article please let me know in the comment section
- Thank You