How can API documentation helpful to exploit any application?

Question

Here I want to understand what if private API Documentation is exposed how can a hacker exploited the application as all the endpoints have authorization & authentication. its is really going to be helpful for a hacker to exploit with documentation of the API?

Answer 1

This question is quite vague.

A service's API documentation is for end-users to utilize its service, it has information such as how to retrieve data, send data, store data, access data, manipulate data the list goes on. Usually, depending on the level of service, this API access can be restricted to different groups of people such as paid/premium users, public users, organization users or employees etc.

To answer your question, having access to your private API documentation that is meant for internal use do enable the hacker to find exploits/loopholes with how the API was implemented that is if there are loopholes to be found.

Hacker A (with no access to documentation) vs Hacker B (with access to documentation)

Hacker B will have a heads-up over Hacker A, as simple as that. Knowledge is power!

Answer 2

If you have an internal administration portal that only the Human Resources department has access to, and that portal is a web application that talks to its API, then the people working in HR would be able to figure the API out anyway by observing the requests in the browser or viewing the JavaScript code.

Hiding API documentation from users that use the application is therefore little use.

However, someone outside of HR (assuming they can't get their hands on the static JavaScript files without logging in) will not be able to do the same thing. API documentation would allow them to learn how to talk to the API. Who knows, perhaps one of the endpoints mistakenly has no authentication check! (Quite recently we had a client who had authentication on all endpoints except one, because they forgot the @authenticated annotation in the source code. An attacker could request GET /accountinfo/<account-ID>/. This sort of thing is not uncommon.)

In this case, where the attacker can't observe the API requests or read the client (JavaScript) code, hiding API documentation helps, but it is still security through obscurity: it takes more time for an attacker to figure things out, but it doesn't completely disallow them from doing attacks. People know that passwords need to be kept secret (hence Kerckhoff's principle), but nobody considers URIs (API endpoints) to be real secrets. It'll leak or be guessed sooner or later.

You can withhold the documentation on a need-to-know basis, but don't get a false sense of security: endpoints are not secrets; authentication tokens are.