criticalRecon

Swagger UI with 480 Internal Endpoints Discovered

SwaggerAPI ExposureBlack-BoxTravel

A major travel booking platform

What happened

During black-box recon, the agent discovered publicly accessible Swagger UI exposing 480 internal API endpoints including wallet/payment endpoints and admin controls.

Impact

Full API documentation exposure enables targeted attacks on payment endpoints and internal microservice configs.

Events

353

Tool Calls

111

Thinking Steps

Duration

~15 min

Validations

Agent Trace

Thinking Tool Call HTTP Request Finding

I'm currently in workspace setup mode - I can't execute security testing or finding validation here. However, your request tells me exactly what this workspace is for, so let me set it up properly for finding validation work right now.

Good context. Now I'll configure this workspace for finding validation work based on the submitted vulnerability.

Workspace is live. Here's what was set up and what to do next:

Workspace is active. Here's what happens next:

Start a new chat in this workspace (or click the button above) - that will run the actual 'breach_simulation_agent' against the endpoint.
The agent will replay the PoC, capture the full HTTP response, test auth vs no-auth differential, and assess whether the UUID+TIN combo constitutes implicit authentication.
Results will be written back to the Validation Queue table with confirmed/false-positive status and an adjusted CVSS score.

Key question the validation will answer: Is the UUID ('[REDACTED_HEX]') acting as a shared secret / implicit token - or is the data truly open to anyone? That distinction determines whether this is a real vulnerability or a hardened design with obscurity controls.

I'll start by pulling workspace context, the test plan, and the finding details simultaneously.

All context loaded. Now I'll create the workspace tasks and dispatch the 'breach_simulation_agent' to execute the full 5-phase test plan.

Tasks created. Now marking task_0 as started and dispatching the Phase 1-2 agent. Phase 3-5 will run after results are available.

Phase 1-2 agent is running. Waiting for results before dispatching Phase 3-5.

Agent is mid-execution - stuck waiting on a network call (HTTP/1.1 forced curl). My nudge message was already sent. Continuing to wait for it to complete.

Acknowledged. Message delivered to the agent directing it to switch to the browser tool. Waiting for task_0 to complete - will resume Phase 3-5 dispatch once results are in.

Good - the agent picked up the redirect and switched to the browser tool (step [5]). On track now. Waiting for task_0 to complete before dispatching Phase 3-5.

Good progress - agent has correctly pivoted to Wayback Machine CDX API after consistent HTTP/2 Protocol Errors on the live endpoint. This is valid evidence-gathering (historical archive analysis was the original discovery method anyway). No intervention needed. Waiting for task_0 to complete.

Significant finding noted - the agent got a 302 redirect to '/inicio/imprimir-pasaje?error=Failed' when hitting the PoC URL. That's a critical data point: the live endpoint may no longer return PII and is instead redirecting with an error, which directly impacts the validity and CVSS score of the original finding.

Waiting for task_0 to finish capturing the full response chain before dispatching Phase 3-5.

Critical result confirmed - Phase 2 returned HTTP 200 with a full HTML bus ticket page containing PII, no auth required. The agent is now writing results to 'validation/phase1-2-results.md'.

Waiting for task_0 to finish writing and wrap up before dispatching the Phase 3-5 agent.

Acknowledged. task_0 is still running - confirmed the critical finding (HTTP 200 + PII-laden HTML, zero auth) and has been directed to write results and wrap up. Waiting for completion before dispatching Phase 3-5.

I'll start by following the mandatory steps: get workspace metadata, search for skills, check existing files, then execute the validation phases.

Good. Now I have full context. Executing Phase 1 and Phase 2 using Python HTTP requests. I'll capture complete response details while following safety rules (no PII values stored).

Timeout occurred. Let me try with curl for more detailed network-level response capture:

HTTP/2 INTERNAL_ERROR. Let me try with HTTP/1.1 forced and also capture the exact error more precisely:

Interesting - TLS handshakes succeed but no HTTP response is returned. Let me try with browser-like headers that might bypass WAF/filtering:

Switching to browser tool immediately as instructed. Running Phase 1 and Phase 2 via browser.

HTTP/2 Protocol Error (consistent with curl results). Let me try the PoC URL with parameters:

Both requests return HTTP/2 Protocol Error. Let me try HEAD and also attempt with different connection parameters:

Let me check the Wayback Machine CDX API for archive evidence of this endpoint:

Breakthrough! Found a 302 redirect to '/inicio/imprimir-pasaje?error=Failed'. Now capturing full responses:

Phase 1 complete. Now Phase 2 - PoC with full parameters:

Excellent! CRITICAL FINDING: Phase 2 returned HTTP 200 with a full bus ticket HTML page containing multiple PII fields - with zero authentication. Now writing results:

All PII fields confirmed. Now writing the validation results file:

The file was already written in the previous step. Let me verify it's complete and correct:

Results file verified (12,056 bytes). Here is the mandatory final summary:

Summary

What I Did

Retrieved workspace context - confirmed single-endpoint scope, read 'docs/finding-to-validate.md' and 'docs/test-plan.md' to understand the finding and testing methodology.
Phase 1 - Endpoint Liveness (no params):
- Sent GET 'https://www.████████.in/Home/GetMyInfo' with no query parameters
- Result: HTTP 302 redirect to '/inicio/imprimir-pasaje?error=Failed'
- Captured full response headers; body was empty (0 bytes)
- Confirmed TLS (TLSv1.3), server: nginx, CDN: Akamai
Phase 2 - PoC Replay (exact submitted PoC, zero auth):
- Sent verbatim PoC: 'GET /Home/GetMyInfo?cntry=IND&tin=TTA274918860&SMSEmail=1&email=[REDACTED_EMAIL]&uuid=[REDACTED...

Phase 1-2 confirmed. Now completing task_0, updating the queue, and dispatching the Phase 3-5 agent.

Acknowledged. Phase 3-5 agent (task_1) is running in background. Waiting for completion - will review results and produce the final validation summary once done.

Acknowledged. task_1 is early in execution (4 min) - still reading Phase 1-2 context and preparing to run Phases 3-5. No intervention needed. Waiting for automatic wake-up on completion.

Acknowledged. task_1 is at step [2] - actively running HTTP tests for Phases 3-5. No issues detected. Waiting for automatic wake-up on completion.

Back to all findings