When facing API endpoints, older tools for directory busting tend to be very ineffective. The days where a webserver is just a directory tree are behind us. The more modern ‘routes’ have taken over and wildly bruteforcing filenames isn’t effective anymore. We need to be smarter and scan based on popular API layouts. Let’s look at how KiteRunner can help with that!
🙋♂️ What is KiteRunner?
As the KiteRunner’s Github readme.md page explains, content discovery tools have been focusing on finding files and folders. However, for modern web applications and frameworks, in specific APIs, this approach isn’t effective anymore.
The creators felt like there was a need for a tool that can effectively brute force endpoints and routes in modern applications and that’s how KiteRunner was born.
Many modern frameworks (Flask, Rails, Express, Django and more) follow the paradigm of defining routes expecting certains headers, methods and so on. With this specific knowledge and through internet-wide searches for route names, methods, parameters and headers, KiteRunner can bruteforce API endpoints smarter and faster.
👷♀️ Setting up KiteRunner
As with many of these tools, the setup couldn’t be simpler.
- Download the latest release from their GitHub page.
- Untar the downloaded file and enjoy the binary!
Note: The name of the binary is kt. We recommend moving it into your path!
🐱🏍 Our first scan
Check out the video below for an example of a scan!
🚧 Conclusion
KiteRunner is a powerful tool to help you uncover all secret routes APIs hold. Mastering this will allow you to find vulnerabilities on endpoints unknown to others!
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check out all the previous Hacker Tools articles, such as the last one on WPScan.
Did you know that there is a video accompanying this article? Check out the playlist!
