Ethical Hacking News
Experts warn that exposed APIs pose a significant threat to modern applications and underscore the urgent need for proactive measures to secure these interfaces. With Autoswagger’s free and open-source tool, developers can identify potential vulnerabilities in their APIs and take steps to mitigate them.
Intruder's security team continues to find the same API vulnerabilities in major organizations, highlighting the urgent need for proactive measures. Autoswagger is a free and open-source tool that scans APIs for broken authorization flaws, helping developers identify potential vulnerabilities. Autoswagger works by scanning domains, detecting exposed API documentation, and flagging endpoints with insecure access control. The Autoswagger tool can be used to test for common API vulnerabilities, including exposing credentials and PII. Thousands of teams trust Intruder's always-on exposure management platform to secure their apps and APIs. Intruder found four real-world examples of exposed APIs that demonstrated the alarming reality of vulnerable APIs. Autoswagger discovered vulnerabilities in endpoints exposing Microsoft MPN credentials, Salesforce records, internal training data, SQL access, and Active Directory information. Publiically exposing API documentation can create unnecessary risk and give attackers a clear map of every endpoint to target.
Free Autoswagger Tool Finds the API Flaws Attackers Hope You Miss
As we navigate the complex digital landscape of modern applications, it has become increasingly evident that APIs (Application Programming Interfaces) have become a prime target for attackers. The sheer exposure and accessibility of these interfaces make them an attractive entry point for malicious actors seeking to exploit vulnerabilities and wreak havoc on unsuspecting organizations.
The Optus breach in 2022 serves as a stark reminder of the devastating consequences that can arise when API security is compromised. In this incident, attackers successfully stole millions of customer records through an unauthenticated API endpoint, leaving the telecom company reeling with a staggering $140 million AUD in fallout. This incident highlights the critical need for robust API security measures to prevent such breaches.
However, three years on from this high-profile breach, vulnerabilities like the Optus incident remain an easy target for attackers. In fact, Intruder's security team continues to find the same issues in the APIs of major organizations, including members of the S&P 500. This persistent exposure of API vulnerabilities underscores the urgent need for proactive measures to secure these interfaces.
To address this pressing concern, Autoswagger has emerged as a free and open-source tool that scans APIs for broken authorization flaws. By leveraging its advanced capabilities, developers can identify potential vulnerabilities in their APIs and take proactive steps to mitigate them.
Autoswagger works by scanning domains to detect exposed API documentation, such as OpenAPI or Swagger schemas, then parsing them to generate a list of endpoints to test. It sends requests using valid parameters from the documentation and flags any endpoint that returns data without proper access control, such as 401 or 403 errors. If a response includes sensitive data, such as credentials or personally identifiable information (PII), and the endpoint isn't properly secured, it gets flagged in the output.
The Autoswagger tool can be downloaded and installed via GitHub for free use. For more advanced testing, it can be run with the --brute flag to attempt to bypass validation checks, helping uncover flaws in endpoints that reject generic input but accept specific data formats or values.
Intruder's Always-On Exposure Management Platform Continues to Secure APIs
Thousands of teams trust Intruder's always-on exposure management platform to secure their apps and APIs and fix critical issues before attackers find them. By uploading the API schema, these organizations can get peace of mind in minutes.
Broken Authorization in Action: Four Real API Vulnerabilities Found by Autoswagger
To illustrate the potential impact of exposed APIs on modern applications, we put Autoswagger to the test on targets from several large Bug Bounty programs, scanning for vulnerable APIs at scale. Here are a few real-world examples that demonstrate the alarming reality of exposed APIs.
Microsoft MPN Credentials
One vulnerability we found was in an endpoint simply named ‘config’, which exposed credentials and API keys for Microsoft Partner Program data stores. Among the data exposed was a valid set of credentials for a Redis database containing the PII of partners, including courses and certifications they had undertaken.
The vulnerable endpoint was buried six layers deep (/1/dashboard/mpn/program/api/config/), making it nearly impossible to guess or discover through brute-force. It was only identified because the API’s OpenAPI schema was exposed.
60,000+ Salesforce Records
Another case involved an API connected to a Salesforce instance at a large tech company. The API returned customer records – including names, contact details, and product orders – which could be extracted in bulk by incrementing the ‘ByDate’ url parameter to retrieve 1,000 records per request.
SQL Access on Internal Training App
We also found an internal staff training API at a well-known soda company running in Azure Functions that allowed unauthenticated users to run arbitrary SQL queries against the database. While the data was limited to internal training records, it included staff names and email addresses – the kind of detail an attacker could use to craft a convincing phishing campaign.
Azure Functions APIs don’t normally expose documentation, but a developer had deployed an extension that did. While this may have been for another service to consume, there was no clear reason for it to be publicly accessible since the app was meant for internal use.
Active Directory (AD) Enumeration
Finally, Autoswagger discovered CVE-2025-0589, which allowed an unauthenticated attacker to enumerate Active Directory user information if AD was integrated with the Octopus Deploy server.
Automated Documentation = Attack Surface Risk
Automated API documentation is great for developers but just as useful for attackers. When an API’s schema is exposed, it gives them a clear map of every endpoint to target. Without that map, most wouldn’t even bother – fuzzing endpoints blindly takes far more effort.
Hiding documentation isn’t a substitute for proper API vulnerability management, but publicly exposing docs you don’t need is an unnecessary risk. Most of the vulnerabilities we found were in APIs never meant to be public yet their documentation was exposed anyway.
Take a look at your own environment: if your internal APIs are documented and exposed to the internet, they might be handing attackers everything they need.
Intruder continuously scans API endpoints to detect a wide range of vulnerabilities, including exposed documentation. Check your APIs today by starting a free 14-day trial.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Alarming-Reality-of-Exposed-APIs-A-Threat-to-Modern-Applications-ehn.shtml
https://www.bleepingcomputer.com/news/security/free-tool-autoswagger-finds-the-api-flaws-attackers-hope-you-miss/
Published: Mon Jul 28 11:14:58 2025 by llama3.2 3B Q4_K_M
