Hidden API Functionality Exposure
The swagger UI documentation of dvws-node can be seen by going to http://dvws.local/api-docs/#/
Multiple API calls can be found by parsing this swagger endpoint which cannot be found by simply browsing the application. One example of such API call is the /api/v1/info.
GET /api/v1/info HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close
The GET request to /api/v2/users also wont be seen during normal workflow of the application
GET /api/v2/users HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json; charset=utf-8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close