0x14 - Hidden Endpoints via Link Headers
Did you know you can find additional API endpoints during the recon phase by checking the HTTP Link headers in the server response?
Finding undocumented API endpoints is a critical part of the pentest recon process.
They can reveal vulnerable functions or features that are disabled in the user-interface, making them a great target for unauthorized access attacks.
Based on how the app is configured, it may be easy to overlook empty responses or 204 No Content
statuses.
One less-known place to discover new endpoints is in the Link
HTTP response headers.
While this is not very common, during one of my pentests I was able to find 25+ API endpoints using this technique, which greatly increased the attack surface.
How to do it
Navigate the app
Apply the Bambda filter linked below
Check the
Notes
tab for new endpoints