Information Disclosure: API Endpoint Exposed in JavaScript Bundle¶

Identifier: js_exposed_api

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

API endpoints hardcoded in JavaScript bundles reveal the full attack surface of the backend API to anyone who inspects the bundle, enabling endpoint enumeration without authentication.

How we test: We statically analyze first-party JavaScript bundles to extract API endpoint URLs, paths, and HTTP methods from fetch(), axios, XMLHttpRequest, and other HTTP client patterns. The extracted endpoints are consolidated into an OpenAPI specification.

References:

https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  js_exposed_api:
    issues_count_limit: 0
    skip: false

Reference¶

`issues_count_limit`¶

Type : integer

The maximum number of issues to report. Use 0 to report all issues.

`skip`¶

Type : boolean

Skip the test if true.