I recently saw the dev.to updated to their REST APIs.
https://developers.forem.com/api
I became curious, and I wanted to scan the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for this job.
https://apisec-inc.github.io/pentest/
Here are the scan results
Surprisingly it reported 8 issues. Here is the list:
I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and author's public images. All other functionality like content engagement like likes, comments, follow, create articles, etc., requires the user to be authenticated.
The free web tool did a decent job of identifying unauthenticated endpoints. Of course, there was no way the tool could have guessed the business reasoning behind leaving those endpoints public.
Here is the free tool URL: https://apisec-inc.github.io/pentest/
Top comments (3)
I don't think this can be called a vulnerability issue, because basically this API endpoint only contains public data that can be accessed by everyone. There is only a GET method, where the public will only consume public data, cannot create, delete or modify.
Stackoverflow has similar endpoints exposed as well for unauthenticated users too. It's an open source culture
Can you write a similar post?