API Testing Lesson: Sometimes the Documentation is the Vulnerability

While practicing API security labs, I came across a simple but important lesson about how attackers explore APIs. Modern web applications rely heavily on APIs. When a user performs an action in the interface, the browser sends a request to the backend API. For example, updating an email address might send a request like: PATCH /api/user/wiener This simply tells the server: update the user wiener . When you intercept such a request during testing, you can start exploring the API structure by moving through the path hierarchy: /api/user/wiener → specific user /api/user → user resource /api → base API In this lab, requesting /api revealed the application's API documentation . The documentation listed all available endpoints supported by the backend. One of them was: DELETE /api/user/{username} This endpoint allows deleting a user. The website interface never exposed this functionality, but the API still supported it. Because the API did not enforce proper authorization, even a normal user