0x30 - Hidden API Endpoints in WADL Files
Did you know you can find hidden API endpoints in the Web Application Description Language (WADL
) files?Application.wadl
is an XML file that describes the resources exposed by a web service.
Very similar with Swagger to some extent, but less-known.
Common paths include:
GET
/application.wadl
GET
/api/application.wadl
GET
/application.wadl?detail=true
The Application.wadl
file can contain details about:
Available endpoint paths
Description of each function
Required parameters
Type and content of response
How to do it
Check if the app is hosting an
application.wadl
file on the common pathsDownload the
application.wadl
file from target domainUse
SOAP UI
to import the WADL fileExplore discovered endpoints
(Optional) Import to Burp using
SwaggerParser
extension