DEV Community

Intesar Shannan Mohammed
Intesar Shannan Mohammed

Posted on

How I scanned dev.to APIs for vulnerabilities

I recently saw the dev.to updated to their REST APIs.
https://developers.forem.com/api

I became curious, and I wanted to scan the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for this job.
https://apisec-inc.github.io/pentest/

Here are the scan results

Scan result

Surprisingly it reported 8 issues. Here is the list:

Vulnerability report

I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and author's public images. All other functionality like content engagement like likes, comments, follow, create articles, etc., requires the user to be authenticated.

The free web tool did a decent job of identifying unauthenticated endpoints. Of course, there was no way the tool could have guessed the business reasoning behind leaving those endpoints public.

Here is the free tool URL: https://apisec-inc.github.io/pentest/

Discussion (3)

Collapse
agussetyar profile image
Agus Setya R

I don't think this can be called a vulnerability issue, because basically this API endpoint only contains public data that can be accessed by everyone. There is only a GET method, where the public will only consume public data, cannot create, delete or modify.

Collapse
ikembakwem_ profile image
IKECHUKWU MBAKWEM

Stackoverflow has similar endpoints exposed as well for unauthenticated users too. It's an open source culture

Collapse
intesar profile image
Intesar Shannan Mohammed Author

Can you write a similar post?