I recently saw the dev.to updated to their REST APIs.
I became curious, and I wanted to scan the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for this job.
Here are the scan results
Surprisingly it reported 8 issues. Here is the list:
I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and author's public images. All other functionality like content engagement like likes, comments, follow, create articles, etc., requires the user to be authenticated.
The free web tool did a decent job of identifying unauthenticated endpoints. Of course, there was no way the tool could have guessed the business reasoning behind leaving those endpoints public.
Here is the free tool URL: https://apisec-inc.github.io/pentest/