0x14 - Hidden Endpoints via Link Headers

Did you know you can find additional API endpoints during the recon phase by checking the HTTP Link headers in the server response?


Finding undocumented API endpoints is a critical part of the pentest recon process.

They can reveal vulnerable functions or features that are disabled in the user-interface, making them a great target for unauthorized access attacks.

Based on how the app is configured, it may be easy to overlook empty responses or 204 No Content statuses.

One less-known place to discover new endpoints is in the Link HTTP response headers.

While this is not very common, during one of my pentests I was able to find 25+ API endpoints using this technique, which greatly increased the attack surface.


How to do it

  1. Navigate the app

  2. Apply the Bambda filter linked below

  3. Check the Notes tab for new endpoints