30 Days of API Testing - Day 9: Share some tools we can use to discover what API calls our applications are making

I always use Chrome developer tool by press F12 to capture API calls. Besides that, I found a chrome extension - Web Sniffer to do this. Web Sniffer looks like cooler than Chrome developer tool.

3 Likes

I usually use Chrome DevTools > Network tab to discover requests

I have just tried to download and run Fiddler, Charles and Wireshark, they are so great, but they are quite complicated and difficult to overview for me, maybe I need to spend more time to research to use them

2 Likes

To discover the API call in web application, I usually use:

  • Browser Dev Tools -> Network tab: Easy access to see what API call…
  • Fiddler: strong tools and extendable by some plugin. I did make a plugin for myself.

And thank to all comments above. I find a new tool Charles. I am going to play with it now.

6 Likes

Some tools discover API calls:

  • API Monitor
  • Process Monitor
  • AlertSite
3 Likes

Before reading this post I was only aware of Charles and browsers’ Network tab to inspect API calls. I’ve been using a Charles and found it to be very cool although it has a bit of a learning curve

1 Like

Interested to know what can be used to discover S2S API calls. Does it mean run fiddler or Wireshark on the server to capture network traffic?

Yes, I believe that is one possible approach, provided you have access to the network where the “server” of interest is running on, and you have access to run a sniffer on the network (or on the server) to monitor the outgoing traffic from server that don’t go to clients but another server. For the sniffer, Wireshark would be the desired tool since it can capture any traffic coming out of the server and it doesn’t have to run on the server but just the network. Use of tools like Fiddler, Charles Proxy, or some other proxy will require reconfiguring the server of interest to route network requests through the proxy in order for you to see it (usually this is more streamlined/automated should you be able to run the proxy on the server itself, but more work when run externally).

The tricky part is then figuring out the S2S calls from the captured traffic.

Note that as others have said, it would be preferable to read the API documentation tooling in case the documentation mentions what S2S calls exist, I assume it might not, depending on how the API is documented.

Another option to try is analyze the server’s application/service logs. Sometimes the S2S calls might be logged for which you can check.

1 Like

With more than 2 years experience on Mobile testing, I have used Fiddler and Browser developer tool to catch API calls our applications are making.
After read all your post and research on the Internet, I found out some other tools that we can use:

  • Web Sniffer (Chrome Addon)

  • Wizdler (Chrome Addon)

1 Like

I am old school and am not afraid to say it. I use the developer tools to inspect an API. The first time I discovered the Network tab in the developer tools it was like walking into Wanderland.

But to keep it short and to the point I do the below

  1. Investigate the traffic in the network tab
  2. Proxy the traffic to set it more clear and maybe to do some security checks as well
  3. Explore/Play with the requests in a Rest Client ( Postman Usually)
  4. Report bugs big and small :slight_smile:

So far I tried the following tools to inspect API calls

  • Google developer tools (Network, Console tabs)
  • Firefox developer tools. There is a nice feature called edit and resend(not sure if this is also available in Chrome)
  • Burp Suite
  • Postman
  • Insomnia
  • httpie

Some related links

Burp Suite

Firefox