Domain api.zertu.mx
United States
Software information
Heroku
tcp/443 tcp/80
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2025-12-04 01:05
Last seen 2026-01-09 18:17
Open for 36 days-
Severity: info
Fingerprint: 5733ddf49ff49cd18553ecf71a64bb4a059537956d2a97d10803f788c295a9fcPublic Swagger UI/API detected at path: /swagger-ui.html - sample paths: GET / GET /category/find/all GET /category/find/all/web GET /category/find/slug/{slug} GET /category/find/{id} GET /certificacion/admin-list GET /certificacion/certificado/generar/{id} GET /certificacion/fetch-module/{id} GET /certificacion/list GET /certificacion/modulo/{id} GET /certificacion/payments-by-order/{order} GET /certificacion/slug/{slug} GET /certificacion/ventas GET /content/find/{id} GET /course/book/{id} GET /course/category/{id} GET /course/find/all GET /course/in-person/list GET /course/in-person/slug/{slug} GET /course/in-person/{id} GET /course/payments/{id} GET /course/ventas/{id} GET /course/{id} GET /error GET /main/dashboard GET /main/search/{search} GET /master/category/{id} GET /master/courses/{id} GET /master/{id} GET /music/playlist GET /oauth/authorize GET /oauth/check_token GET /oauth/confirm_access GET /oauth/error GET /oauth/token GET /store/product/{id} GET /store/products GET /ticket/generate GET /user/contact GET /user/history/{orderId} GET /user/mail/test GET /user/my-purchases GET /user/notification/test GET /user/oxxo-requests GET /user/payment/list GET /user/payment/paypal/token GET /user/profile GET /user/stripe/payment/list GET /user/tickets GET /user/version GET /video/course/{id} POST /cart/conekta/pay POST /cart/conekta/pay-oxxo POST /cart/conekta/pay/installments/{installments} POST /cart/paypal/pay/{orderNumber} POST /cart/stripe/get-plans POST /cart/stripe/pay POST /cart/stripe/pay-certifications POST /cart/stripe/pay-oxxo POST /cart/stripe/pay-oxxo-certifiaction POST /cart/testmail POST /category/create POST /certificacion/conekta/pay-oxxo POST /certificacion/evaular/{id} POST /certificacion/iap POST /certificacion/module/update POST /certificacion/pagar POST /certificacion/pagar-carrito POST /certificacion/pagar/stripe POST /certificacion/paypal POST /certificacion/paypal/pay/{orderNumber} POST /certificacion/prueba POST /certificacion/reenviar POST /contact/send POST /content/create POST /course/conekta/pay POST /course/conekta/pay/guest POST /course/conekta/pay/{cardId} POST /course/create POST /course/iap/paid POST /course/in-person/conekta/pay POST /course/in-person/oxxo/pay POST /course/in-person/paypal/pay POST /course/oxxo/confirm POST /course/oxxo/pay POST /course/oxxo/stripe-webhook POST /course/oxxo/webhook POST /course/paquete/conekta/pay/{paquete} POST /course/payment/course/online/confirm/paypal POST /course/payments-by-order POST /course/paypal/pay POST /course/promo-code/in-person/validate POST /course/promo-code/validate POST /course/update POST /course/v2/conekta/pay POST /gallery/create POST /image/upload POST /master/create POST /store/order POST /store/order/paypal POST /store/order/stripe POST /ticket/resend POST /tokens/revoke/{tokenId} POST /tokens/revokeRefreshToken/{tokenId} POST /user/delete POST /user/device POST /user/password/recovery POST /user/password/update POST /user/payment/create POST /user/payment/default POST /user/payment/delete POST /user/profile/update POST /user/register POST /user/signin/facebook POST /user/stripe/addPaymentMethod POST /video/create POST /video/finishedFound on 2026-01-09 18:17
-
-
Swagger API description is publicly available
Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
First seen 2025-12-04 01:05
Last seen 2026-01-09 13:50
Open for 36 days-
Severity: info
Fingerprint: 5733ddf49ff49cd18553ecf71a64bb4a059537956d2a97d10803f788c295a9fcPublic Swagger UI/API detected at path: /swagger-ui.html - sample paths: GET / GET /category/find/all GET /category/find/all/web GET /category/find/slug/{slug} GET /category/find/{id} GET /certificacion/admin-list GET /certificacion/certificado/generar/{id} GET /certificacion/fetch-module/{id} GET /certificacion/list GET /certificacion/modulo/{id} GET /certificacion/payments-by-order/{order} GET /certificacion/slug/{slug} GET /certificacion/ventas GET /content/find/{id} GET /course/book/{id} GET /course/category/{id} GET /course/find/all GET /course/in-person/list GET /course/in-person/slug/{slug} GET /course/in-person/{id} GET /course/payments/{id} GET /course/ventas/{id} GET /course/{id} GET /error GET /main/dashboard GET /main/search/{search} GET /master/category/{id} GET /master/courses/{id} GET /master/{id} GET /music/playlist GET /oauth/authorize GET /oauth/check_token GET /oauth/confirm_access GET /oauth/error GET /oauth/token GET /store/product/{id} GET /store/products GET /ticket/generate GET /user/contact GET /user/history/{orderId} GET /user/mail/test GET /user/my-purchases GET /user/notification/test GET /user/oxxo-requests GET /user/payment/list GET /user/payment/paypal/token GET /user/profile GET /user/stripe/payment/list GET /user/tickets GET /user/version GET /video/course/{id} POST /cart/conekta/pay POST /cart/conekta/pay-oxxo POST /cart/conekta/pay/installments/{installments} POST /cart/paypal/pay/{orderNumber} POST /cart/stripe/get-plans POST /cart/stripe/pay POST /cart/stripe/pay-certifications POST /cart/stripe/pay-oxxo POST /cart/stripe/pay-oxxo-certifiaction POST /cart/testmail POST /category/create POST /certificacion/conekta/pay-oxxo POST /certificacion/evaular/{id} POST /certificacion/iap POST /certificacion/module/update POST /certificacion/pagar POST /certificacion/pagar-carrito POST /certificacion/pagar/stripe POST /certificacion/paypal POST /certificacion/paypal/pay/{orderNumber} POST /certificacion/prueba POST /certificacion/reenviar POST /contact/send POST /content/create POST /course/conekta/pay POST /course/conekta/pay/guest POST /course/conekta/pay/{cardId} POST /course/create POST /course/iap/paid POST /course/in-person/conekta/pay POST /course/in-person/oxxo/pay POST /course/in-person/paypal/pay POST /course/oxxo/confirm POST /course/oxxo/pay POST /course/oxxo/stripe-webhook POST /course/oxxo/webhook POST /course/paquete/conekta/pay/{paquete} POST /course/payment/course/online/confirm/paypal POST /course/payments-by-order POST /course/paypal/pay POST /course/promo-code/in-person/validate POST /course/promo-code/validate POST /course/update POST /course/v2/conekta/pay POST /gallery/create POST /image/upload POST /master/create POST /store/order POST /store/order/paypal POST /store/order/stripe POST /ticket/resend POST /tokens/revoke/{tokenId} POST /tokens/revokeRefreshToken/{tokenId} POST /user/delete POST /user/device POST /user/password/recovery POST /user/password/update POST /user/payment/create POST /user/payment/default POST /user/payment/delete POST /user/profile/update POST /user/register POST /user/signin/facebook POST /user/stripe/addPaymentMethod POST /video/create POST /video/finishedFound on 2026-01-09 13:50
-
-
Open service 15.197.149.68:80 · api.zertu.mx
2026-01-09 18:17
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Fri, 09 Jan 2026 18:18:58 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=QC5z1WJBcehgXzNljLgU1ei8jPETOc341gh1F7q38p0%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1767982738"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=QC5z1WJBcehgXzNljLgU1ei8jPETOc341gh1F7q38p0%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1767982738" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 3 days ago by HttpPluginCreate report
-
Open service 15.197.149.68:443 · api.zertu.mx
2026-01-09 13:50
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Fri, 09 Jan 2026 13:50:48 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=WHze1lMfzn%2BfrtTtVFLYKmSRVp7dMPCOQzDzYGN7NXw%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1767966648"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=WHze1lMfzn%2BfrtTtVFLYKmSRVp7dMPCOQzDzYGN7NXw%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1767966648" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2026-01-09 by HttpPluginCreate report
-
Open service 15.197.149.68:443 · api.zertu.mx
2026-01-02 13:28
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Fri, 02 Jan 2026 13:28:48 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=YtF%2FzQyg%2BLnaLY4q4Tdn29Jkx5kSMIR3eDWNLe7eJvA%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1767360529"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=YtF%2FzQyg%2BLnaLY4q4Tdn29Jkx5kSMIR3eDWNLe7eJvA%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1767360529" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2026-01-02 by HttpPluginCreate report
-
Open service 15.197.149.68:80 · api.zertu.mx
2026-01-02 06:57
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Fri, 02 Jan 2026 06:57:41 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=pwSQtScTSKGRZOUO7xDrE2%2Bg8t2muj1FqQwOQ%2Btjmvs%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1767337061"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=pwSQtScTSKGRZOUO7xDrE2%2Bg8t2muj1FqQwOQ%2Btjmvs%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1767337061" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2026-01-02 by HttpPluginCreate report
-
Open service 15.197.149.68:80 · api.zertu.mx
2025-12-30 09:23
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Tue, 30 Dec 2025 09:23:56 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=g8iX90TIPBlss%2BsN%2FaUOehYWkNNeSx5lgNe3D3iEP%2FY%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1767086636"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=g8iX90TIPBlss%2BsN%2FaUOehYWkNNeSx5lgNe3D3iEP%2FY%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1767086636" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2025-12-30 by HttpPluginCreate report
-
Open service 15.197.149.68:80 · api.zertu.mx
2025-12-22 10:25
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Mon, 22 Dec 2025 10:25:31 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=JpbWp0pqg60O989ZcxfCOXp0O2ZGHlVyt44IkE585P4%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1766399131"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=JpbWp0pqg60O989ZcxfCOXp0O2ZGHlVyt44IkE585P4%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1766399131" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2025-12-22 by HttpPluginCreate report
-
Open service 15.197.149.68:80 · api.zertu.mx
2025-12-21 05:52
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Sun, 21 Dec 2025 05:52:05 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=RO6EoI%2FAGOy%2B%2FXxf25k8lEG4t3mo%2FWNpYhGe1K5EtjY%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1766296325"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=RO6EoI%2FAGOy%2B%2FXxf25k8lEG4t3mo%2FWNpYhGe1K5EtjY%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1766296325" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2025-12-21 by HttpPluginCreate report
-
Open service 15.197.149.68:443 · api.zertu.mx
2025-12-20 21:28
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Sat, 20 Dec 2025 21:28:40 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=ZiOM7%2FGvHB169bucGZKy3%2FiRBQeh0j6WLJ%2FYu%2B%2BkvX8%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1766266120"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=ZiOM7%2FGvHB169bucGZKy3%2FiRBQeh0j6WLJ%2FYu%2B%2BkvX8%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1766266120" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2025-12-20 by HttpPluginCreate report
-
Open service 15.197.149.68:80 · api.zertu.mx
2025-12-19 07:08
HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,responseType Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json;charset=UTF-8 Date: Fri, 19 Dec 2025 07:08:49 GMT Expires: 0 Nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} Pragma: no-cache Report-To: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=hNb%2Fwhan2m16qu51N%2F%2BpdoTuHTTZUiWp5xtUwI8Loz0%3D\u0026sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6\u0026ts=1766128130"}],"max_age":3600} Reporting-Endpoints: heroku-nel="https://nel.heroku.com/reports?s=hNb%2Fwhan2m16qu51N%2F%2BpdoTuHTTZUiWp5xtUwI8Loz0%3D&sid=929419e7-33ea-4e2f-85f0-7d8b7cd5cbd6&ts=1766128130" Server: Heroku Via: 1.1 heroku-router X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Content-Length: 28 Connection: close {"code":200,"response":"OK"}Found 2025-12-19 by HttpPluginCreate report