APIs (Advanced)

Swagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.

GraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.

GraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.

GraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.

API endpoints returning full database objects with sensitive fields instead of only the fields the client actually needs, exposing password hashes, internal IDs, admin flags, and other sensitive data.

API endpoints that return all matching records without pagination or limit, enabling attackers to dump entire tables and causing memory/performance issues under normal load.

Using admin or full-access API keys for operations that only require read access, meaning a compromised key gives attackers far more access than needed for the intended operation.