July 14, 2026
API Hacking Basics Every Bug Bounty Hunter Should Know
The website is the front. The API is where the bugs live.
By Masood Nfc
1 min read
Modern apps are two layers. The pretty website you see, and the API behind it that does the real work. The website has buttons that stop you doing the wrong thing. The API often does not. That gap is where bug hunters live.
The website lies to you, the API does not
A button might be greyed out so you cannot click delete. But the delete still exists as an API call. The website hid the button. It did not remove the power. Send the API request directly and the server may happily do it. Always test the API, not just the buttons.
Find the API first
Open Burp or your browser dev tools and watch the network traffic while you use the app. Every action fires API calls. You will see paths like slash api slash v1 slash users. That is your map. The endpoints the app calls are your target list.
Look for the version number
See v1 in the path? Try v2. Try v0. Try internal. Older API versions often still work and often have weaker security because everyone forgot about them. Version swapping is a cheap trick that finds real bugs.
Test the methods
Each endpoint can accept different actions. GET to read. POST to create. PUT and PATCH to change. DELETE to remove. The app might only use GET, but the server might still accept DELETE. Try the other methods and see what the server allows.
Hunt for missing authorization
This is the big one. Take an API call that returns your data. Change the id to someone else id. If you get their data, the API forgot to check ownership. APIs are where these bugs are most common because developers assume only the app will ever call them.
Check what the API returns
APIs often return more than the website shows. The website displays your name. The API response behind it might include your full record, internal flags, other user ids, even password hashes if someone was careless. Read the raw response, not the rendered page.
Look for the documentation
Many APIs publish their own docs, sometimes at paths like slash swagger or slash api docs. If you find these, you get a complete map of every endpoint and parameter, handed to you for free.
The mindset shift
Stop thinking about the app as pages. Start thinking about it as a set of API calls, each one a question you send the server. Your job is to ask questions the developer did not expect. Find the API. Map the endpoints. Change the ids. Try the methods. That is where a huge share of modern bounties are paid.