Unauthenticated API Endpoint

How attackers find and exploit it

• Harvest client-side JavaScript bundles and source maps, then parse string literals and fetch/axios calls to extract every API path the frontend references, including routes that are conditionally rendered or only used by admin views.
• Request well-known discovery artifacts, /swagger.json, /openapi.json, /v3/api-docs, /graphql introspection, and .well-known paths, to enumerate the full route surface and parameter shapes without ever logging in.
• Brute-force common internal and admin path conventions (/internal/, /api/admin/, /actuator/, /debug/, /metrics/, /v1/users) against the host and watch for 200/302 responses instead of 401/403.
• Send each candidate route with no Authorization header, no cookie, and no API key, comparing the response to an authenticated baseline to identify routes that return real data or perform actions anonymously.
• For a confirmed open route, enumerate predictable identifiers (sequential IDs, UUIDs leaked elsewhere, meeting/order/account numbers) to pull records in bulk, or replay mutating verbs (POST/PUT/DELETE) to change state.
• Chain the endpoint into deeper access: use an unauthenticated server-side proxy or job-trigger route to reach internal services, or use exposed admin actions to create credentials and establish persistence.

How to detect it on your surface

• Inventory every externally resolvable hostname and enumerate its routes from your own OpenAPI/Swagger definitions, gateway configs, and reverse-proxy rules, then flag any route lacking an enforced auth requirement.
• Diff the routes your code actually serves against the routes your authentication middleware actually covers; gaps (handlers registered outside the protected router group) are where unauthenticated endpoints hide.
• Replay a representative request to each route twice, once with valid credentials and once with all auth removed, and treat any non-401/403 response on the anonymous attempt as a candidate exposure.
• Crawl your own production JavaScript and mobile-app bundles the way an attacker would, extract referenced API paths, and verify each one rejects anonymous calls.
• Review API gateway, WAF, and ingress logs for successful (2xx) requests to sensitive paths that carry no session token, API key, or Authorization header.

Detection signals

• A request to a data or admin route with no Authorization header, no session cookie, and no API key returns HTTP 200 with a real JSON/XML body instead of 401 Unauthorized or 403 Forbidden.
• Discovery endpoints respond openly: /swagger.json, /openapi.json, /v3/api-docs, or a GraphQL endpoint that answers __schema introspection queries to anonymous callers.
• Spring Boot Actuator paths such as /actuator/env, /actuator/heapdump, or /actuator/mappings are reachable without credentials and disclose configuration, environment variables, or full route lists.
• Response bodies contain regulated or internal fields (email addresses, tokens, internal IDs, financial records) on a route the public UI never surfaces, and the same call works identically from any IP with no cookie.
• Mutating verbs (POST, PUT, PATCH, DELETE) on '/internal' or '/admin'-style paths return 200/201/204 rather than an authentication challenge.

Validate before you report

• Issue the exact request twice from a clean client, once with a known-good credential and once stripped of every auth artifact (cookie, bearer token, API key, client cert); a true positive returns substantively equivalent success when unauthenticated.
• Confirm the response reflects genuine server-side data or state change, not a static placeholder or generic landing page, by checking that returned values correlate to a known record you control.
• Test a mutating action with a reversible, low-impact payload (or a dry-run/idempotent parameter where supported) and verify the change is actually persisted, distinguishing a real unauthenticated write from a route that accepts but discards input.
• Re-run the anonymous request from a different network egress and a fresh client with no prior session to rule out IP-allowlist or cached-session false positives.
• Capture full request/response evidence, headers, body, status, and timestamp, so the finding is reproducible and the missing-auth condition is documented rather than inferred.

What looks like this but isn't

• Intentionally public, read-only endpoints (health checks, public catalogs, public status pages, OAuth discovery documents) are by-design anonymous and should be classified as accepted, not as exposures.
• A route that appears open may actually be gated by an upstream control, mutual TLS at a load balancer, an IP allowlist, or an API gateway policy, so confirm the anonymous success reproduces from an arbitrary external client before flagging it.
• Some endpoints return 200 with an empty or error payload regardless of auth; verify the body contains real data or that a mutation truly persisted, rather than treating any 200 as access.

Remediation

• Place authentication enforcement at a single choke point (gateway, middleware router group, or service mesh policy) so routes are protected by default and a developer must consciously opt a route into being public.
• Apply a deny-by-default policy: every newly registered route requires an explicit, reviewed public annotation, and the build fails if a handler is reachable without that annotation or an auth check.
• Immediately require a valid credential (session, signed and verified JWT with checked expiry and algorithm, scoped API key, or mTLS for service-to-service) on the exposed route and confirm the gate rejects all anonymous calls with 401.
• Disable or authenticate discovery and diagnostic surfaces in production, restrict Swagger/OpenAPI and GraphQL introspection, and lock down Spring Boot Actuator and similar management endpoints.
• Layer authorization behind authentication so an identified caller still cannot reach objects or actions outside their scope, addressing object- and function-level access control alongside the missing-auth fix.
• Add anti-automation controls, rate limiting, and anomaly alerting on sensitive routes, and add a regression test asserting the route returns 401/403 when called without credentials so the gap cannot silently reappear.

Operational checklist

• Maintain a living API inventory that links each external route to its enforced authentication and authorization requirement, and reconcile it against deployed gateway and ingress config on every release.
• Run automated unauthenticated probes of your external API surface on a recurring schedule, not just at release, since new routes and redeploys reopen gaps.
• Gate CI/CD on a check that every new or changed route declares its access policy and that no handler ships reachable without an explicit auth decision.
• Keep diagnostic, management, and discovery endpoints disabled or authenticated in production by default, and verify after each deploy.
• Monitor gateway and WAF logs for 2xx responses to sensitive paths lacking credentials, and alert on first occurrence.
• Review third-party and AI-generated/scaffolded code specifically for handlers registered outside the protected router group before merge.

Weakness references (CWE)

• CWE-306 — Missing Authentication for Critical Function
• CWE-285 — Improper Authorization
• CWE-862 — Missing Authorization