API Endpoint Discovery

§ Where this technique fits

§ Dossiers chaining this technique

• Open MongoDB → dump every collection

  Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.

  step 1 / 5

• ESXiArgs — OpenSLP unauth RCE → ransomware

  Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.

  step 1 / 6

• Open MQTT broker → smart-estate takeover

  Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.

  step 1 / 5

• Signature replay across chains → token drain

  EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals.

  step 1 / 4

• XXE → SSRF → IMDS → cloud creds

  XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.

  step 1 / 6

• Single-packet race → coupon stacking

  Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them.

  step 1 / 5

• SSRF → IMDS → cloud creds → lateral

  An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.

  step 1 / 6

• File upload bypass → webshell → RCE

  Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.

  step 1 / 6

• OAuth redirect_uri misconfig → account takeover

  Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.

  step 1 / 8

• GraphQL introspection → BOLA → mass enum

  GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs.

  step 1 / 6

• NoSQL injection → auth bypass → admin

  Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check.

  step 1 / 5

• JWT RS256 → HS256 algorithm confusion → admin

  Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.

  step 2 / 6

• Root detection + SSL pinning bypass → MITM the API

  Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.

  step 5 / 6

§ What commonly comes next

1. 01
   Blind XXE — Out-of-Band Exfil

   W-XXE-BLIND-OOB · Lateral Movement
   seen 1×
2. 02
   Broken Object Level Authorization (API BOLA)

   W-BOLA · Privilege Escalation
   seen 1×
3. 03
   Business Logic Flaw

   W-BUSINESS-LOGIC · Impact
   seen 1×
4. 04
   ESXi OpenSLP Unauth RCE (CVE-2021-21974)

   HV-ESXI-SLP · Initial Access
   seen 1×
5. 05
   File Upload Filter Bypass

   W-UPLOAD-BYPASS · Initial Access
   seen 1×
6. 06
   GraphQL Introspection

   W-GRAPHQL-INTRO · Discovery
   seen 1×
7. 07
   JWT — RS256 → HS256 Algorithm Confusion

   W-JWT-ALG-CONFUSION · Credential Access
   seen 1×
8. 08
   MQTT Broker Open / No Auth

   IOT-MQTT-OPEN · Initial Access
   seen 1×