-
Notifications
You must be signed in to change notification settings - Fork 175
Hidden API Functionality Exposure
Sam Sanoop edited this page Jul 24, 2022
·
5 revisions
The swagger UI documentation of dvws-node can be seen by going to http://dvws.local/api-docs/#/
Multiple API calls can be found by parsing this swagger endpoint which cannot be found by simply browsing the application. One example of such API call is the /api/v1/info
.
GET /api/v1/info HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close
The GET request to /api/v2/users
also wont be seen during normal workflow of the application
GET /api/v2/users HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json; charset=utf-8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- Client Side Template Injection