DEV Community

Intesar Mohammed
Intesar Mohammed

Posted on

9 4

How I scanned dev.to APIs for vulnerabilities

I recently saw the dev.to updated to their REST APIs.
https://developers.forem.com/api

I became curious, and I wanted to scan the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for this job.
https://apisec-inc.github.io/pentest/

Here are the scan results

Scan result

Surprisingly it reported 8 issues. Here is the list:

Vulnerability report

I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and author's public images. All other functionality like content engagement like likes, comments, follow, create articles, etc., requires the user to be authenticated.

The free web tool did a decent job of identifying unauthenticated endpoints. Of course, there was no way the tool could have guessed the business reasoning behind leaving those endpoints public.

Here is the free tool URL: https://apisec-inc.github.io/pentest/

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (3)

Collapse
 
agussetyar profile image
Agus Setya R

I don't think this can be called a vulnerability issue, because basically this API endpoint only contains public data that can be accessed by everyone. There is only a GET method, where the public will only consume public data, cannot create, delete or modify.

Collapse
 
ikembakwem profile image
Ikechukwu Mbakwem

Stackoverflow has similar endpoints exposed as well for unauthenticated users too. It's an open source culture

Collapse
 
intesar profile image
Intesar Mohammed

Can you write a similar post?

Billboard image

Try REST API Generation for Snowflake

DevOps for Private APIs. Automate the building, securing, and documenting of internal/private REST APIs with built-in enterprise security on bare-metal, VMs, or containers.

  • Auto-generated live APIs mapped from Snowflake database schema
  • Interactive Swagger API documentation
  • Scripting engine to customize your API
  • Built-in role-based access control

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay