The API is your backend’s public interface. If your mobile app or SPA depends on the API, every endpoint is exposed to the internet whether you intended it or not. Yet developers routinely treat APIs as “internal” because the API documentation is not public. This mental-model error is where most modern web compromises start.
Why this happens
APIs grow organically. An endpoint is added for the mobile app. Another for the web SPA. Another for a back-office tool. Another for a third-party integration. Each has its own authentication assumptions, its own authorization model, its own rate limit. Nobody maintains the canonical inventory. Security reviews cover the “main API” but miss the half-dozen auxiliary ones.
Worse: mobile apps often call endpoints that web apps don’t. Those endpoints were designed assuming “the mobile app is the only caller and we can control the mobile app’s behaviour.” Neither of those assumptions is true once the mobile app is in the wild.
How it goes wrong
1. Shadow endpoints
Documented API has 50 endpoints. Actual deployed API has 80. The 30 undocumented ones existed for internal tools, beta features, debugging, or historical reasons. Attackers find them via JavaScript bundle analysis, mobile app decompilation, API discovery tools, or Wayback Machine archives.
Continue reading with Pro tier (βΉ4,999/year)
You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.