loading
loading
Discovery
A tool for auditing endpoints defined in exposed Swagger and OpenAPI definition files.
overview
Swagger Jacker takes an exposed API definition, a Swagger or OpenAPI file you found at a URL or pulled to disk, and turns it into an audit of the API it describes. A leaked spec lists every documented route, method, and parameter, a map an attacker would otherwise have to guess at. Swagger Jacker reads that map and exercises it instead of leaving it as a static document.
It runs in modes chosen by a command argument: list the endpoints declared in the spec, automate requests against each one, brute force a host to locate the definition file, convert the spec into a plain list of URLs, or prepare per-endpoint curl commands for manual testing. Rate limiting, custom headers, proxy support, and a configurable user agent let you drive the requests responsibly and route them through tooling like Burp. A safe-word option keeps flagged, potentially destructive operations from firing by accident.
On Trickest, Swagger Jacker is a Discovery-category node that takes a definition URL or local file and writes a file and a folder of results. Place it after you locate an exposed spec: discovery finds the definition file, Swagger Jacker enumerates and tests the routes it declares, and the findings land as a queryable output.
source github.com/BishopFox/sj
use cases
Run the endpoints command against a discovered Swagger or OpenAPI file to extract every documented path and method as structured data the workflow can act on.
Use automate mode to send a request to each endpoint the definition declares, with --rate limiting and a --proxy so the traffic stays controlled and observable.
Point brute mode at a host to probe common paths where a Swagger or OpenAPI file tends to live, then audit the spec once it turns up.
Set --target to a host that differs from where the documentation lives, useful when a spec is served from a CDN but the API runs elsewhere.
Use convert mode to write the spec out as a plain list of URLs, or prepare mode to emit curl commands, so a fuzzer or scanner downstream can consume the endpoints cleanly.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Load the documentation file from a URL. |
| local-file | FILE | --local-file | Load the documentation from a local file. |
| command | STRING | · | Mode to run: automate, brute, convert, endpoints, or prepare. |
| target | STRING | --target | Set a request target if it differs from where the docs reside. |
| format | STRING | --format | Format of the definition file (json, yaml, yml, js). |
| rate | STRING | --rate | Limit the number of requests per second (default 15). |
| headers | STRING | --headers | Add custom headers in Name: Value form, repeatable. |
| proxy | STRING | --proxy | Proxy host and port, for example http://127.0.0.1:8080. |
Showing key inputs. swagger-jacker exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Load the documentation file from a URL. |
| local-file | FILE | --local-file | Load the documentation from a local file. |
| command | STRING | · | Mode to run: automate, brute, convert, endpoints, or prepare. |
| target | STRING | --target | Set a request target if it differs from the host the documentation resides on. |
| format | STRING | --format | Format of the definition file: json, yaml, yml, or js (default json). |
| base-path | STRING | --base-path | Set the API base path if the definition omits it, for example /V2/. |
| rate | STRING | --rate | Limit the number of requests per second (default 15). |
| timeout | STRING | --timeout | Request timeout period in seconds (default 30). |
| headers | STRING | --headers | Add a custom header in Name: Value form; repeatable. |
| agent | STRING | --agent | Set the User-Agent string sent with each request. |
| randomize-user-agent | BOOLEAN | --randomize-user-agent | Randomize the User-Agent string (default false). |
| proxy | STRING | --proxy | Proxy host and port, for example http://127.0.0.1:8080. |
| insecure | BOOLEAN | --insecure | Ignore server certificate validation. |
| safe-word | STRING | --safe-word | Exempt the given word from the dangerous-word check; repeatable. |
| quiet | BOOLEAN | --quiet | Do not prompt for input; use default values for all requests. |
example
# list every route the exposed spec declaressj endpoints --url https://example.com/v2/swagger.json # replay each documented request through Burp, rate-limitedsj automate --url https://example.com/v2/swagger.json --proxy http://127.0.0.1:8080 --rate 10GET https://example.com/api/v2/usersPOST https://example.com/api/v2/usersGET https://example.com/api/v2/users/{id}PUT https://example.com/api/v2/users/{id}DELETE https://example.com/api/v2/users/{id}GET https://example.com/api/v2/ordersPOST https://example.com/api/v2/orders/{id}/refundGET https://example.com/api/v2/admin/configguidance
Reach for Swagger Jacker when you have found an exposed Swagger or OpenAPI definition and want to audit the API it describes. It is spec-driven, so it needs a definition file as input. For discovering the spec or testing routes you do not have documentation for, pair it with a crawler and a fuzzer.
Crawls an app to find the spec and other endpoints. Run it to locate the definition Swagger Jacker then audits.
Brute forces routes without a spec. Use it when there is no definition file to read.
Tests known issues with templates. Complements Swagger Jacker once the routes are enumerated.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
An exposed spec URL feeds Swagger Jacker, which enumerates and tests the documented routes and writes the audited endpoints as an output.
Facts on this page come from the live Trickest tool library.