Reverse Engineering an API in .NET Core – Complete Practical Example

Introduction

API reverse engineering is the process of analyzing how an external API works when official documentation is unavailable or incomplete. Developers inspect requests, headers, cookies, tokens, parameters, and responses to recreate API functionality inside their own applications.

In .NET Core, reverse engineering APIs is commonly used for:

• Government portal integrations

• Banking systems

• Logistics platforms

• Payment gateways

• Mobile app APIs

• Legacy systems

What is API Reverse Engineering?

API reverse engineering means:

• Observing network traffic

• Identifying API endpoints

• Understanding request headers

• Finding authentication methods

• Rebuilding API calls in code

Real-World Scenario

Suppose a website shows loan application data after login, but there is no public API documentation.

We inspect the browser network requests and discover:

GET https://example.com/api/getLoanList?page=1

Headers:

Authorization: Bearer TOKEN
Cookie: SESSIONID=ABC123

Response:

{
  "status": true,
  "data": [
    {
      "applicationNo": "LN1001",
      "farmerName": "Ramesh",
      "amount": 50000
    }
  ]
}

Now we recreate this API inside our own ASP.NET Core application.

Tools Used for API Reverse Engineering

Step 1 – Capture API Request

Open browser developer tools:

Chrome Shortcut

F12 → Network Tab

Perform an action on the website.

Example:

• Login

• Search data

• Load dashboard

Now inspect:

• Request URL

• Headers

• Cookies

• Payload

• Response

Example Captured API

GET https://portal.example.com/api/application/list?page=1

Headers:

Authorization: Bearer eyJhbGci...
Cookie: ASP.NET_SessionId=XYZ
User-Agent: Mozilla/5.0

Step 2 – Test API in Postman

Import the request into Postman.

Verify:

• Status Code = 200

• Data received properly

• Authentication works

Step 3 – Create .NET Core API Client

Install Required Package

dotnet add package Newtonsoft.Json

Step 4 – Create Model Class

public class LoanApplication
{
    public string ApplicationNo { get; set; }

    public string FarmerName { get; set; }

    public decimal Amount { get; set; }
}

Step 5 – Create Response Model

public class LoanResponse
{
    public bool Status { get; set; }

    public List<LoanApplication> Data { get; set; }
}

Step 6 – Reverse Engineered API Call

Complete Working Example

using Newtonsoft.Json;
using System.Net.Http.Headers;

public class LoanApiService
{
    private readonly HttpClient _client;

    public LoanApiService()
    {
        _client = new HttpClient();
    }

    public async Task<List<LoanApplication>> GetLoans()
    {
        try
        {
            var request = new HttpRequestMessage(
                HttpMethod.Get,
                "https://portal.example.com/api/application/list?page=1");

            // Add Bearer Token
            request.Headers.Authorization =
                new AuthenticationHeaderValue(
                    "Bearer",
                    "YOUR_TOKEN");

            // Add Cookies
            request.Headers.Add(
                "Cookie",
                "ASP.NET_SessionId=XYZ123");

            // Send Request
            var response = await _client.SendAsync(request);

            response.EnsureSuccessStatusCode();

            // Read Response
            var json = await response.Content.ReadAsStringAsync();

            // Deserialize JSON
            var result = JsonConvert.DeserializeObject<LoanResponse>(json);

            return result.Data;
        }
        catch(Exception ex)
        {
            throw;
        }
    }
}

Step 7 – Create Controller

[ApiController]
[Route("api/[controller]")]
public class LoanController : ControllerBase
{
    [HttpGet]
    public async Task<IActionResult> Get()
    {
        LoanApiService service = new LoanApiService();

        var data = await service.GetLoans();

        return Ok(data);
    }
}

How Reverse Engineering Works

Workflow

• Capture API Request

• Analyze Headers

• Understand Authentication

• Test in Postman

• Recreate in .NET Core

• Deserialize Response

• Build Application Logic

Understanding Authentication

Most reverse-engineered APIs use:

Handling Dynamic Tokens

Sometimes tokens expire.

Example Login API

POST /api/login
{
   "username":"admin",
   "password":"123456"
}

Response:

{
   "token":"eyJhbGciOi..."
}

Store this token and use it in future requests.

Advanced Reverse Engineering Techniques

1. Decode JWT Tokens

JWT tokens contain:

• User info

• Expiry

• Permissions

2. Analyze JavaScript Files

Sometimes hidden API endpoints exist inside JS files.

3. Observe Mobile App APIs

Using:

• Charles Proxy

• Fiddler

• Burp Suite

developers can inspect Android/iOS app traffic.

Common Problems

Best Practices

Use HttpClientFactory

builder.Services.AddHttpClient();

Add Retry Policy

Using Polly:

dotnet add package Polly

Log All Requests

Useful for debugging.

Secure Tokens

Never hardcode:

• Passwords

• API Keys

• Tokens

Use:

• appsettings.json

• Azure Key Vault

• Environment Variables

Legal & Ethical Considerations

API reverse engineering should only be done:

• For authorized systems

• For integration purposes

• For internal automation

• When allowed by terms/policies

Avoid:

• Unauthorized access

• Bypassing security

• Data scraping without permission

Real-World Use Cases

Government Integration

GST, Aadhaar, eStamp APIs.

Banking Systems

Loan processing portals.

E-Commerce

Order tracking APIs.

Mobile Applications

Extracting backend API workflows.

Enterprise Automation

Integrating legacy systems.

Conclusion

Reverse engineering APIs in .NET Core is a powerful skill for developers working on integrations, automation, and enterprise applications.

Using:

• Browser DevTools

• Postman

• HttpClient

• JSON Models

• Authentication Handling

developers can successfully analyze and rebuild APIs even when documentation is unavailable.