loading
loading
Recon
Find endpoints belonging to a domain across public GitHub code.
overview
github-endpoints searches public GitHub for URLs and endpoints that reference a target domain. Developers commit config files, client code, and docs that name internal and external paths, and those references leak a picture of an application's surface no live crawler can reach. Point the tool at a domain and it harvests every endpoint it can find in indexed code.
Searches run through the GitHub code-search API, so you supply one or more API tokens. The tool rotates tokens to stretch the rate limit, quick mode skips the extra language and noise searches for a faster pass, and extended mode also looks for dummy variants of the domain to widen the net.
On Trickest, github-endpoints is a Recon node that takes a domain and tokens and writes a file and a folder of endpoints. Run it next to subdomain and link discovery to seed content-discovery and probing stages with paths pulled straight from source code rather than guessed from a wordlist.
use cases
Search public GitHub for a domain to pull API routes and paths out of config files and client code that a live crawl would never reach.
Feed the harvested endpoints into a fuzzer or prober so the next stage tests paths that exist instead of generic wordlist guesses.
Supply a comma-separated token list or a token file so the tool spreads requests across keys and keeps searching past a single token's rate limit.
Schedule the node against your domains and diff the results to catch new paths as developers push code that references them.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain you are looking for (required). |
| tokens | STRING | -t | List of GitHub API tokens separated by commas. |
| tokens-file | FILE | -t | A file containing one GitHub API token per line. |
| quick | BOOLEAN | -q | Quick mode; skip the extra language searches and added noise. |
| extended-mode | BOOLEAN | -e | Extended mode; also look for dummy-prefixed variants of the domain. |
| relative | BOOLEAN | -r | Display relative URLs instead of absolute (default false). |
| all | BOOLEAN | -all | Display URLs of all other domains found, not only the target. |
| raw | BOOLEAN | -raw | Emit raw output with no formatting. |
Showing key inputs. github-endpoints exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| all | BOOLEAN | -all | Display URLs of all other domains found, not only the target. |
| raw | BOOLEAN | -raw | Emit raw output with no formatting. |
| quick | BOOLEAN | -q | Quick mode; skip the extra language searches and added noise. |
| domain | STRING | -d | Domain you are looking for (required). |
| tokens | STRING | -t | List of GitHub API tokens separated by commas. |
| relative | BOOLEAN | -r | Display relative URLs instead of absolute (default false). |
| tokens-file | FILE | -t | A file containing one GitHub API token per line. |
| extended-mode | BOOLEAN | -e | Extended mode; also look for dummy-prefixed variants of the domain. |
| exit-when-tokens-get-limited | BOOLEAN | -k | Exit the program once every token has been rate-limited. |
example
# harvest endpoints for a domain, rotating a token file, quick passgithub-endpoints -d example.com -t tokens.txt -qhttps://api.example.com/v1/usershttps://api.example.com/v2/auth/loginhttps://app.example.com/internal/healthhttps://staging.example.com/api/ordershttps://example.com/.well-known/security.txthttps://cdn.example.com/assets/config.jsonhttps://dev.example.com/graphqlhttps://example.com/admin/settingsguidance
Use github-endpoints when you want endpoints that live in source code, not on the running site. It needs GitHub API tokens to search. Pair it with github-subdomains for the same passive source and with a link finder like golinkfinder for the live-page side.
Same author and token model, but harvests subdomains instead of endpoints from public GitHub.
Extracts endpoints from live HTML and JavaScript rather than from committed source code.
Pulls historical URLs from web archives; a different passive source for the same goal.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain feeds github-endpoints, which mines public GitHub for paths and hands them to httpx so only endpoints that respond land as output.
Facts on this page come from the live Trickest tool library.