Docs · Tools
API Tester
The API Tester probes web APIs the way an attacker would: fuzzing for undocumented endpoints and, for GraphQL, introspecting the schema to reveal every query and mutation the server exposes.
- Category
- Web & API
- Powered by
ffuf+ HTTP requests- Edition
- Pro
- Where
- Desktop → API Tester tab
What it does
APIs leak in two ways: endpoints nobody documented, and GraphQL schemas that happily describe themselves. The API Tester fuzzes paths to discover the former and runs GraphQL introspection to dump the latter — so you can see the full operation surface and check what is actually protected.
How to use it
1
Enter the API base
Provide the base URL, e.g.
https://api.example.com.2
Choose a mode
Endpoint fuzzing, GraphQL introspection, or both.
3
Run & review
Click Test. Discovered endpoints and the GraphQL schema appear as results come back.
Modes & options
- Endpoint fuzzing — try a wordlist of paths to find undocumented routes.
- GraphQL introspection — dump the schema (types, queries, mutations) if introspection is enabled.
- Headers/auth — add tokens to test authenticated surfaces.
What you get
A list of discovered endpoints (with status codes) and, for GraphQL, the introspected schema. Anything sensitive that responds without auth is an immediate finding to fix.
Tips
- Disable GraphQL introspection in production — if the API Tester can dump it, so can anyone.
- Test both unauthenticated and authenticated to spot broken access control.
- No ffuf yet? A demo result previews the workflow before you install it.
Authorized use only. Only test APIs you own or are permitted to assess. Inputs are sanitized and subprocesses run without
shell=True.