Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.
Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.
While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.
Severity: info
Fingerprint: 5733ddf49ff49cd1aad03549cafa191211da241da1cbdfe6dabd40762a1375f5
Public Swagger UI/API detected at path: /swagger/index.html - sample paths:
DELETE /api/Event/{id}/EventTerm/{eventTermId}/EventTermParticipant/{eventTermParticipantId}
GET /Account/LoggedOut
GET /Account/Logout
GET /Account/ProcessLogout
GET /api/Category
GET /api/Category/{id}
GET /api/Event
GET /api/Event/{id}
GET /api/Event/{id}/EventAssignment
GET /api/Event/{id}/EventAssignment/{eventAssignmentId}
GET /api/Event/{id}/EventTerm
GET /api/Event/{id}/EventTerm/{eventTermId}
GET /api/Event/{id}/EventTerm/{eventTermId}/EventTermParticipant
GET /api/Event/{id}/EventTerm/{eventTermId}/EventTermParticipantUnassigned
GET /api/Event/{id}/UnassignedGroup
GET /api/Event/{id}/UnassignedUser
GET /api/Group
GET /api/Group/{groupId}
GET /api/MyEvent/All
GET /api/MyEvent/Calendar
GET /api/MyEvent/Calendar/Day
GET /api/MyEvent/Calendar/Month
GET /api/MyEvent/Lecturer
GET /api/MyEvent/Registered
GET /api/MyEvent/{eventId}/EventTerm/{eventTermId}/OtherTerms
GET /api/MyEvent/{id}/Details
GET /api/MyEvent/{id}/PrimaryParticipants
GET /api/Settings
GET /api/User
GET /api/User/{userId}
GET /api/administration/user/{userId}/Role
GET /error/{code}
PATCH /api/MyEvent/{id}/EventTermParticipant/{eventTermParticipantId}
POST /api/CasbinMaintenance/casbin-initialization
POST /api/Event/{id}/EventAssignments
POST /api/Maintenance/RegisterNotifications
POST /api/MyEvent/{id}/PrimaryParticipants/Excel
POST /api/MyEvent/{id}/Register
POST /api/MyEvent/{id}/Unregister
POST /api/Provision
POST /api/Provision/PublishAndRebuildCopiedContent
POST /api/tenants/create
POST /api/tenants/disable/{tenantName}
POST /api/tenants/edit
POST /api/tenants/enable/{tenantName}
POST /api/tenants/remove/{tenantName}
POST /api/tenants/setup