apisniff 0.1.2

One tool for API recon: preflight defenses, capture real traffic, extract a usable spec.

apisniff

One tool for API recon: preflight defenses, capture real traffic, extract a usable spec.

What you get

• Probe a URL in 10 seconds, classify 25+ vendor products (Cloudflare, Akamai, DataDome, PerimeterX, Imperva, Kasada, and more)
• Browse a site through a local mitmproxy instance. Noise is filtered automatically; you keep only API calls.
• Import HAR files or Burp Suite exports for offline analysis
• Generate an OpenAPI spec from captured traffic with schema inference and example values
• Replay captured calls against the live API and see what changed
• Export safely: derived artifacts only, no raw traffic, no credentials

Install

brew tap 4LAU/tap && brew install apisniff
# or
pip install apisniff
# or
pipx install apisniff
# or
uv tool install apisniff

Requires Python 3.12+.

Quick Start

# Check what defenses a site has
apisniff probe example.com

# Capture live traffic (opens Chrome + proxy)
apisniff recon example.com

# Generate an API spec from the capture
apisniff spec example.com -o spec.yaml

# Replay captured calls to detect drift
apisniff replay example.com

# Export a safe, shareable summary
apisniff share example.com

Commands

Command	Purpose	Docs
probe	Defense preflight: assess defenses, detect vendors, check rate limits	Reference →
recon	Capture + classify: browse through proxy, filter noise, generate report	Reference →
analyze	Offline analysis: import HAR, Burp XML, or JSONL captures	Reference →
replay	Replay captured calls and detect API drift	Reference →
spec	Generate OpenAPI 3.0.3 from captured traffic	Reference →
share	Export shareable summary (no raw traffic, no credentials)	Reference →

Every command supports --help for full flag documentation. See the CLI spec for output format contracts and conventions.

Guides

• Getting started: install to API map in 5 minutes
• Workflow recipes: map an API, check for drift, compare defenses
• Capture formats: HAR, Burp XML, JSONL explained

Important Warnings

Only run apisniff against systems you own, administer, or have explicit permission to test. The tool is built for API discovery and debugging, but it sends real requests and can capture sensitive session data.

Your IP address is exposed

This tool sends real HTTP requests from your IP. Aggressive or repeated probing can get you rate-limited or blocked. apisniff probe rate fires 20 rapid requests, so use it deliberately. Route through --proxy if you don't want to expose your IP.

Results reflect your IP's reputation. Residential IPs see fewer challenges than datacenter/cloud IPs. Use --proxy to compare results from different vantage points.

Capture files contain sensitive data

recon and analyze capture full HTTP traffic including cookies, auth tokens, API keys, and form submissions. Raw bundles are stored locally with owner-only permissions and are never safe to share, commit, or upload.

Use apisniff share to create a safe export with only derived artifacts.

Why recon needs the mitmproxy certificate

apisniff recon uses mitmproxy, an open source SSL/TLS-capable intercepting proxy for HTTP/1, HTTP/2, and WebSockets. apisniff starts it locally, opens Chrome with that local proxy configured, then records the HTTP flows that pass through it.

HTTPS is encrypted between the browser and the origin server, so a proxy cannot read request paths, JSON bodies, headers, or responses unless the browser trusts the proxy during the TLS handshake. mitmproxy solves this by creating a local certificate authority the first time it runs, stored under ~/.mitmproxy, and generating site certificates on the fly for the domains you visit. Installing or trusting that CA certificate tells the browser: "for this local capture session, allow this proxy to inspect HTTPS traffic."

Treat the certificate like sensitive local configuration. A trusted CA can decrypt proxied HTTPS traffic, so only install the mitmproxy CA on machines and browser profiles you control. apisniff uses a local proxy on 127.0.0.1 and launches Chrome with --proxy-server=http://127.0.0.1:8080; regular browsing and apps are unaffected unless you route them through that proxy. If Chrome shows certificate warnings, start apisniff recon, open http://mitm.it in the proxied Chrome window, and follow mitmproxy's platform-specific certificate instructions.

More detail: mitmproxy certificate docs and how mitmproxy works.

What to do with the spec

# Generate a client library
openapi-generator generate -i spec.yaml -g python -o client/

# Import into Postman: File → Import → select spec.yaml

# Feed to an LLM
cat spec.yaml | llm "write a Python client for this API"

Development

git clone https://github.com/4LAU/apisniff.git
cd apisniff
uv sync --dev
uv run pytest tests/ -v
uv run ruff check .

See CONTRIBUTING.md for the local development workflow and SECURITY.md for vulnerability reporting.

To regenerate command reference docs after changing CLI flags:

uv run python scripts/generate_command_docs.py

License

MIT