LeakIX - Host tanfdata.acf.hhs.gov

Domain tanfdata.acf.hhs.gov

United States

Amazon Data Services Ireland Ltd

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 52.61.34.168
Domain: tanfdata.acf.hhs.gov
Port: 443
URL: https://tanfdata.acf.hhs.gov

First seen 2025-12-04 21:21
Last seen 2026-02-02 21:21
Open for 59 days

Severity: info
Fingerprint: 5733ddf49ff49cd1b885ff435a26a4c644a417c2a12ceeda4176bdfad4e9815d

Public Swagger UI/API detected at path: /swagger.json - sample paths:
GET /plg_auth_check/
GET /v1/auth_check
GET /v1/change-request-logs/
GET /v1/change-request-logs/{id}/
GET /v1/change-requests/
GET /v1/change-requests/{id}/
GET /v1/data_files/
GET /v1/data_files/years
GET /v1/data_files/years/{stt}
GET /v1/data_files/{id}/
GET /v1/data_files/{id}/download/
GET /v1/data_files/{id}/download_error_report/
GET /v1/feedback/
GET /v1/feedback/{id}/
GET /v1/login/
GET /v1/logout
GET /v1/oidc/ams
GET /v1/reports/
GET /v1/reports/report-sources/
GET /v1/reports/report-sources/{id}/
GET /v1/reports/{id}/
GET /v1/reports/{id}/download/
GET /v1/roles/
GET /v1/security/get-token
GET /v1/stts/
GET /v1/stts/alpha
GET /v1/stts/by_region
GET /v1/users/
GET /v1/users/profile/
GET /v1/users/request_access/
GET /v1/users/{id}/
PATCH /v1/users/update_profile/
POST /v1/logs/
POST /v1/security/event-token

Found on 2026-02-02 21:21

Severity: info
Fingerprint: 5733ddf49ff49cd1b885ff435a26a4c644a417c2462c12f012246220c812a5d5

Public Swagger UI/API detected at path: /swagger.json - sample paths:
GET /plg_auth_check/
GET /v1/auth_check
GET /v1/data_files/
GET /v1/data_files/years
GET /v1/data_files/years/{stt}
GET /v1/data_files/{id}/
GET /v1/data_files/{id}/download/
GET /v1/data_files/{id}/download_error_report/
GET /v1/feedback/
GET /v1/feedback/{id}/
GET /v1/login/
GET /v1/logout
GET /v1/oidc/ams
GET /v1/roles/
GET /v1/security/get-token
GET /v1/stts/
GET /v1/stts/alpha
GET /v1/stts/by_region
GET /v1/users/
GET /v1/users/request_access/
GET /v1/users/{id}/
POST /v1/logs/

Found on 2025-12-04 21:21

Create report

Open service 56.137.118.217:443 · tanfdata.acf.hhs.gov

2026-01-22 22:33

HTTP/1.1 403 Forbidden
Date: Thu, 22 Jan 2026 22:33:07 GMT
Content-Type: application/json
Content-Length: 136
Connection: close
x-amzn-requestid: 2d8c24a9-5e1c-4d8a-a0b5-edc583174c9c
access-control-allow-origin: *


{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action"}

Found 2026-01-22 by HttpPlugin

Create report

*.us-gov-west-1.es.amazonaws.com

Fingerprint:

d16f345721ed86217650dbac9bcd9a6e4c6d3a6a6dabe34496dbd107b8ac3b05

CN:

*.us-gov-west-1.es.amazonaws.com

Key:

RSA-2048

Issuer:

Amazon RSA 2048 M04

Not before:

2025-09-09 00:00

Not after:

2026-10-07 23:59

Domain summary

tanfdata.acf.hhs.gov 2

1 recorded

IP summary

56.137.118.217 1 52.61.34.168 1

2 recorded