Endpoint
A specific URL where an API or service can be accessed to perform an action or retrieve data.
Short Definition
An endpoint is a specific address (URL) where you can talk to an API. Like /api/users is the endpoint to get users, /api/login is for logging in. Each endpoint does one specific thing.
Full Definition
An endpoint is a specific URL path where an API exposes functionality. It's the connection point between a client and server for a particular operation.
Structure:
1Base URL + Path = Endpoint23https://api.example.com/v1/users/1234│ │ │5│ │ └─ Endpoint path6│ └─ API version7└─ Base URL
REST API Endpoints Example:
1GET /api/users ← List all users2GET /api/users/123 ← Get specific user3POST /api/users ← Create new user4PUT /api/users/123 ← Update user5DELETE /api/users/123 ← Delete user
Types:
- Public: Anyone can access
- Authenticated: Requires login/token
- Internal: Only for internal services
- Webhook: Receives notifications
Why It Matters
- Endpoints define what your API can do
- Each endpoint is a potential attack surface
- Proper endpoint design affects security
- Endpoint enumeration reveals functionality
- Access control must be per-endpoint
How Attackers Use It
Attack techniques:
1. Endpoint Enumeration: Find hidden endpoints not in documentation:
1/api/users ← Public2/api/users/admin ← Hidden?3/api/internal/ ← Internal?4/api/v2/ ← Unreleased version?
Tools: ffuf, gobuster, Burp Intruder
2. IDOR (Insecure Direct Object Reference):
1GET /api/users/123 ← Your ID2GET /api/users/124 ← Someone else's data
3. SSRF via Endpoint:
1POST /api/webhook2{3 "url": "http://169.254.169.254/metadata"4}
4. Mass Assignment:
1POST /api/users2{3 "username": "attacker",4 "password": "pass",5 "role": "admin" ← Shouldn't be allowed6}
5. Version Exploitation:
1/api/v1/users ← Patched2/api/v0/users ← Old, vulnerable version still active
How to Detect or Prevent It
Prevention:
Design:
- Use versioning (/v1/, /v2/)
- Consistent naming conventions
- Clear documentation
- Disable unused endpoints
- Remove debug/test endpoints in production
Security:
- Authentication on all endpoints
- Authorization checks (not just authentication)
- Rate limiting per endpoint
- Input validation
- Disable HTTP methods not needed (e.g., DELETE if read-only)
Code example:
1@app.route('/api/users/', methods=['GET'])2@require_authentication3def get_user(user_id):4 # Authorization check5 if current_user.id != user_id and not current_user.is_admin:6 return {"error": "Unauthorized"}, 40378 # Validated access9 user = User.query.get(user_id)10 return jsonify(user)
Detection:
- Log all endpoint access
- Monitor for enumeration patterns:
- Sequential ID attempts
- 404 errors from scanning
- Requests to undocumented endpoints
- Alert on access to sensitive endpoints
- Track unusual HTTP methods (OPTIONS, TRACE)
Common Misconceptions
- "Authentication protects all endpoints" - Need authorization too
- "Hidden endpoints are secure" - Security through obscurity fails
- "Documentation reveals too much" - Attackers enumerate anyway
- "Endpoints can share authentication" - Each needs own checks
- "GET endpoints are read-only" - Some modify state incorrectly
Real-World Example
USPS Informed Delivery API (2018)
Vulnerability:
1GET /account/profile?userId=12345
Issue: No authorization check
Attack:
- Create account (get userId=12345)
- Try userId=12346, 12347, etc.
- Access 60 million user accounts
Result: Full name, address, email, phone number exposed.
Peloton API (2021)
Endpoint exposed too much data:
1GET /api/user/{user_id}/profile
Returned:
- Private profile information
- Workout history
- Location data
- Even for "private" accounts
Could enumerate all users by iterating user_id.
Venmo API
Public endpoint with no auth:
1GET /api/transactions
Leaked:
- All public transactions
- User relationships
- Financial patterns
- Could scrape millions of transactions
Related Terms
API, URL, HTTP Request, REST, Authentication