Tool Information

• Name of tool: apicg (API Crawler & Grapher)
• Vendor/Author: Sreehari Pradeep (glichx4)
• Upstream URL/Source code: https://github.com/glichx4/apicg
• License: MIT License

Description

apicg is a high-performance, asynchronous API attack surface mapping utility designed for penetration testers and bug bounty hunters. It combines passive JavaScript/Specification analysis with highly concurrent active endpoint fuzzing.

Unlike older tools that pull massive amounts of third-party noise (such as Google Analytics, Tag Manager, and tracking pixel routes), apicg uses an active in-scope validation system to strip away tracking junk dynamically, leaving security teams with a clean, actionable blueprint of the actual target API routes.

Features

• Passive Specification Harvesting: Auto-detects and parses leaked OpenAPI, Swagger, and GraphQL documentation endpoints.
• SPA JS Extraction: Extracts relative endpoints natively from client-side bundles (Webpack, Vite, etc.).
• Noise Filtering: Built-in validation filters to isolate target-only parameters.
• Async Fuzzing Engine: Rapidly brute-forces custom directories concurrently using a non-blocking httpx pool.
• Structured Exports: Dumps clean target maps into JSON or Markdown reporting formats.

Target Category in Kali Menu

03-web-applications -> Web Application Analysis

Technical Justification

Modern web applications are heavily reliant on APIs, which traditionally requires testers to manually crawl bundles or use heavy intercepting proxies. apicg bridges this gap natively inside a lightweight CLI tool. It follows standard Python packaging rules (setup.py entry points) and can easily be packaged into a native Debian (.deb) binary for distribution within the Kali ecosystem.