Attack surfaceexposure library.
Every entry is a finding type Legba Recon discovers on an external attack surface — what it is, how attackers find and exploit it, how to detect it on your own perimeter, how to validate a real hit instead of scanner noise, and how to remediate it.
Exposed Service.
An exposed database server is a PostgreSQL (TCP 5432) or MySQL/MariaDB (TCP 3306) instance whose listener is reachable from the public internet, letting anyone attempt authentication directly against the data store. Because the protocol handshake leaks the product and version before login, attackers can fingerprint, brute force, and ultimately read or wipe the entire database.
An Exposed Docker Engine API is a Docker daemon listening on TCP port 2375 (or 2376 without client-certificate verification) where anyone who can reach the port controls the daemon. Because the daemon runs as root and can mount the host filesystem into a container, an unauthenticated request is equivalent to root-level remote code execution on the host.
An exposed Elasticsearch cluster is an Elasticsearch node reachable from the public internet (usually on TCP 9200) with no authentication, letting anyone read, modify, or delete every index over the REST API.
An exposed Jenkins instance is an internet-facing automation server whose web UI or CLI is reachable by anyone, often with anonymous or weak access that lets attackers reach the Groovy Script Console for remote code execution and harvest stored build credentials.
An exposed Kubernetes API server is a kube-apiserver endpoint (default TCP 6443, or the legacy insecure port 8080) reachable from the internet where anonymous access or over-broad RBAC lets an unauthenticated attacker enumerate and ultimately control the entire cluster.
An exposed MongoDB database is a mongod instance reachable from the public internet (typically TCP 27017) with authentication disabled, so anyone who connects can read, modify, or delete every collection without credentials. It is one of the most reliably exploited data exposures on the internet and a frequent target of automated ransom-wipe campaigns.
An exposed RDP endpoint is a Windows Remote Desktop service reachable directly from the public internet on TCP/3389. It is one of the most common initial-access vectors behind ransomware intrusions.
An exposed Redis instance is a Redis key-value server reachable from untrusted networks (typically TCP 6379) without authentication, letting anyone who connects read and overwrite all data and, via CONFIG SET plus SAVE, write arbitrary files to achieve remote code execution.
Application & API.
Broken Object Level Authorization (BOLA), also called Insecure Direct Object Reference (IDOR), is an API flaw where the server confirms you are logged in but never checks that the object you requested actually belongs to you, so changing an ID in the request returns another user's data. It is ranked API1:2023, the number-one risk in the OWASP API Security Top 10.
Missing API rate limiting means a public endpoint accepts an unlimited number of requests from a single client without throttling, letting attackers run credential stuffing, data scraping, account enumeration, and resource-exhaustion denial-of-service at machine speed.
Missing Row Level Security (RLS) means a Supabase project's public anon key, which is meant to be shipped in browser code, can read or write every row through the auto-generated REST and GraphQL API because no row-level authorization policy gates the request. RLS, not the anon key, is the security boundary, and when it is disabled the entire database is effectively public.
A publicly writable Firebase database is a Firebase Realtime Database or Cloud Firestore whose Security Rules permit unauthenticated read and write access, so anyone who learns the project ID can read, modify, or delete the entire dataset over a simple HTTPS request.
Server-Side Request Forgery (SSRF) is a flaw where an application fetches a user-supplied URL on the server side, letting an attacker coerce the server into reaching internal services or the cloud metadata endpoint (169.254.169.254) to steal credentials. It maps to OWASP A10:2021 and CWE-918.
An unauthenticated API endpoint is an internal, admin, or data-handling route that responds to requests without verifying caller identity, letting anyone who finds the URL read or change data the API was never meant to expose publicly.
Misconfiguration.
Directory listing is enabled when a web server returns an auto-generated index of a folder's contents instead of a page, exposing file and folder names such as backups, configs, and source code to anyone who requests the path.
A publicly accessible cloud storage bucket is an S3, Google Cloud Storage, or Azure Blob container whose access controls let anyone on the internet list or download its objects without authentication, frequently exposing backups, logs, customer records, or secrets.
Information Disclosure.
An API key leaked in frontend code is a secret credential (database token, payment secret key, cloud key, or AI provider key) that gets compiled into the JavaScript bundle or source maps shipped to every visitor's browser, where anyone can read it with browser dev tools. Unlike a publishable key meant for the client, a secret key in the frontend grants attackers the same backend privileges your server holds.
An exposed .env file is a dotenv configuration file (such as .env, .env.local, or .env.production) that a web server returns as plain text instead of keeping it private, handing attackers the database credentials, cloud access keys, and signing secrets your application loads at boot.
An exposed .git directory is a version-control folder left reachable over HTTP, letting anyone download the repository internals and reconstruct your full source code, commit history, and any secrets committed along the way.
DNS & Domain.
A dangling DNS record is a published DNS entry (A, AAAA, CNAME, NS, or MX) that still points to an IP address or third-party resource that has been deprovisioned, released, or expired, leaving the name resolving to infrastructure your organization no longer controls. Because anyone who reclaims that underlying IP or service inherits the traffic, dangling records enable interception, content control, and subdomain takeover.
A subdomain takeover happens when a DNS CNAME or ALIAS record still points to a third-party service that has been deprovisioned, letting an attacker re-register that service name and serve their own content from your trusted subdomain.
Credential & Access.
Default credentials are the factory-set usernames and passwords (admin/admin, root/root, vendor-specific pairs) that ship with a device or application and are never changed, letting anyone who knows the published default log in with full access. Because the defaults are documented publicly and reused across every unit of a product, an internet-reachable device with its default left in place is effectively unauthenticated.
An exposed admin panel is an administrative or login console reachable from the public internet without IP allow-listing, SSO, or a VPN in front of it, giving attackers a direct, internet-facing target for credential guessing and exploitation. Because these consoles grant privileged control of an application or device, exposing one converts a routine login into a remotely brute-forceable foothold.
Certificate & TLS.
An expired TLS certificate is a server certificate whose validity window (the notAfter date) has passed, so browsers and clients flag the connection as untrusted. It breaks the trust signal users rely on and reveals weak certificate lifecycle management on the surface.
A weak TLS configuration is an endpoint that still negotiates deprecated protocols (SSLv3, TLS 1.0/1.1), weak cipher suites, or omits HTTP Strict Transport Security, leaving encrypted traffic open to downgrade and man-in-the-middle interception. It is one of the most common findings on any internet-facing HTTPS surface.
Related surfaces
The exposure library is one part of the Recon story.
These finding-type guides support the Legba Recon assessment surface. Use the related pages to evaluate the product, the methodology behind it, and the broader Legba engine.
Legba Recon
Map the external surface, validate real exposures, and assemble a client-ready report in minutes.
ExploreEASM terms, explained
Plain-language explainers for reconnaissance, asset discovery, validation, and more.
ExploreRead the engine explainers
Browser isolation, AI security, and threat research that support the commercial story.
Explore