How to use undocumented web APIs

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Testing Web Testing Frameworks GraphQL Runner

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • curl-impersonate

    curl-impersonate: A special build of curl that can impersonate Chrome & Firefox

    • The first problem can be solved with curl-impersonate: https://github.com/lwthiker/curl-impersonate

    "A special compilation of curl that makes it impersonate Chrome & Firefox", and it now can also impersonate Edge and Safari.

    Previously discussed: https://news.ycombinator.com/item?id=30378562 _Show HN: Curl modified to impersonate Firefox and mimic its TLS handshake_ (21 days ago, 58 comments)

  • gobuster

    Directory/File, DNS and VHost busting tool written in Go

    • gobuster is an effective way to enumerate subdomains and their directories quickly.

    https://github.com/OJ/gobuster

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • instagram-private-api

    NodeJS Instagram private API SDK. Written in TypeScript.

    • The most trivial check a website owner can do is checking the user-agent, which Python requests automatically sets to show its name, unless you configure your own. Trivial way to work around is to set your own user-agent to one that looks like a browser.

    Specifically regarding Instagram, you can take a look at the implementation of https://github.com/dilame/instagram-private-api to understand more workarounds, as Instagram is getting better and better at working against the workarounds.

  • puppeteer

    Node.js API for Chrome

    • I found puppeteer very nice to script against if you need a real headless browser:

    https://github.com/puppeteer/puppeteer

  • Capybara

    Acceptance test framework for web applications

  • Playwright

    Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API.

    • [Playwright](https://playwright.dev/) (Node / Python) is my current preferred - mainly because I seem to have less reliability issues with the browser starting/stopping cleanly (although it's never perfect with any of the tools I've tried).

  • clairvoyance

    Obtain GraphQL API schema even if the introspection is disabled

    • You may not even need introspection--

    https://github.com/nikitastupin/clairvoyance

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • GraphQLmap

    GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)

  • browsercookie

    • If you still use the website via browser, I find https://github.com/richardpenman/browsercookie/ is great for working around the expiring cookie problem

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts