LeakIX - Host www.liminalily.com

Domain www.liminalily.com

Singapore

CLOUDFLARENET

Software information

cloudflare

tcp/443

nginx nginx 1.28.0

tcp/443

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 104.17.164.211
Domain: www.liminalily.com
Port: 443
URL: https://www.liminalily.com

First seen 2025-11-04 17:40
Last seen 2025-11-08 10:13
Open for 3 days

Severity: info
Fingerprint: 5733ddf49ff49cd151e75e4bf8ba89be4987094c1dddfcc9d2c7f946dd55949e

Public Swagger UI/API detected at path: /v3/api-docs - sample paths:
DELETE /admin/download/log/delete/{id}
DELETE /admin/link/delete/{id}
DELETE /admin/link/deleteExpireLink
DELETE /admin/sso/provider/{provider}
DELETE /admin/user/delete/{id}
GET /
GET /admin/2fa/setup
GET /admin/clientIp
GET /admin/config
GET /admin/download/log/list
GET /admin/link/export
GET /admin/link/limit/info
GET /admin/link/list
GET /admin/log/download
GET /admin/login/log/list
GET /admin/permission/list
GET /admin/sso/provider/checkDuplicate
GET /admin/sso/providers
GET /admin/storage-params
GET /admin/storage/exist/key
GET /admin/storage/{storageId}
GET /admin/storage/{storageId}/filters
GET /admin/storage/{storageId}/password
GET /admin/storage/{storageId}/permission
GET /admin/storage/{storageId}/readme
GET /admin/storages
GET /admin/support-storage
GET /admin/user/checkDuplicate
GET /admin/user/list
GET /admin/user/{id}
GET /api/install/status
GET /api/site/config/global
GET /api/site/config/userRootPath/{storageKey}
GET /api/sso/list
GET /api/storage/list
GET /gd/authorize
GET /guest
GET /onedirve/authorize
GET /onedirve/callback
GET /onedirve/china-authorize
GET /onedirve/china-callback
GET /onedrive/authorize
GET /onedrive/callback
GET /onedrive/china-authorize
GET /onedrive/china-callback
GET /onlyOffice/callback
GET /pd/{storageKey}/**
GET /s/{key}
GET /sso/{provider}/login
GET /sso/{provider}/login/callback
GET /user/login/captcha
GET /user/login/check
GET /user/login/verify-mode
POST /admin/2fa/verify
POST /admin/download/log/delete/batch
POST /admin/download/log/delete/batch/query
POST /admin/link/delete/batch
POST /admin/rule-test
POST /admin/sso/provider
POST /admin/storage
POST /admin/storage/copy
POST /admin/storage/sort
POST /admin/storage/{storageId}/compatibility_readme/{status}
POST /admin/storage/{storageId}/disable
POST /admin/storage/{storageId}/enable
POST /admin/user/copy
POST /admin/user/disable/{id}
POST /admin/user/enable/{id}
POST /admin/user/saveOrUpdate
POST /api/file/operator/delete/batch
POST /api/file/operator/mkdir
POST /api/file/operator/rename/file
POST /api/file/operator/rename/folder
POST /api/file/operator/upload/file
POST /api/file/operator/{action}/{type}
POST /api/install
POST /api/path-link/batch/generate
POST /api/short-link/batch/generate
POST /api/site/config/storage
POST /api/storage/file/item
POST /api/storage/files
POST /gd/drives
POST /onlyOffice/config/token
POST /s3/getBuckets
POST /s3/getCorsConfig
POST /sharepoint/getDomainPrefix
POST /sharepoint/getSiteId
POST /sharepoint/getSiteLists
POST /sharepoint/getSites
POST /user/login
POST /user/logout
POST /user/updatePwd
PUT /admin/config/access
PUT /admin/config/link
PUT /admin/config/security
PUT /admin/config/site
PUT /admin/config/view
PUT /file/upload/{storageKey}/**
PUT /user/resetAdminPassword

Found on 2025-11-08 10:13

Create report

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 104.17.164.211
Domain: www.liminalily.com
Port: 8443
URL: https://www.liminalily.com:8443

First seen 2025-11-04 17:40
Last seen 2025-11-07 08:48
Open for 2 days

Severity: info
Fingerprint: 5733ddf49ff49cd151e75e4bf8ba89be4987094c1dddfcc9d2c7f946dd55949e

Public Swagger UI/API detected at path: /v3/api-docs - sample paths:
DELETE /admin/download/log/delete/{id}
DELETE /admin/link/delete/{id}
DELETE /admin/link/deleteExpireLink
DELETE /admin/sso/provider/{provider}
DELETE /admin/user/delete/{id}
GET /
GET /admin/2fa/setup
GET /admin/clientIp
GET /admin/config
GET /admin/download/log/list
GET /admin/link/export
GET /admin/link/limit/info
GET /admin/link/list
GET /admin/log/download
GET /admin/login/log/list
GET /admin/permission/list
GET /admin/sso/provider/checkDuplicate
GET /admin/sso/providers
GET /admin/storage-params
GET /admin/storage/exist/key
GET /admin/storage/{storageId}
GET /admin/storage/{storageId}/filters
GET /admin/storage/{storageId}/password
GET /admin/storage/{storageId}/permission
GET /admin/storage/{storageId}/readme
GET /admin/storages
GET /admin/support-storage
GET /admin/user/checkDuplicate
GET /admin/user/list
GET /admin/user/{id}
GET /api/install/status
GET /api/site/config/global
GET /api/site/config/userRootPath/{storageKey}
GET /api/sso/list
GET /api/storage/list
GET /gd/authorize
GET /guest
GET /onedirve/authorize
GET /onedirve/callback
GET /onedirve/china-authorize
GET /onedirve/china-callback
GET /onedrive/authorize
GET /onedrive/callback
GET /onedrive/china-authorize
GET /onedrive/china-callback
GET /onlyOffice/callback
GET /pd/{storageKey}/**
GET /s/{key}
GET /sso/{provider}/login
GET /sso/{provider}/login/callback
GET /user/login/captcha
GET /user/login/check
GET /user/login/verify-mode
POST /admin/2fa/verify
POST /admin/download/log/delete/batch
POST /admin/download/log/delete/batch/query
POST /admin/link/delete/batch
POST /admin/rule-test
POST /admin/sso/provider
POST /admin/storage
POST /admin/storage/copy
POST /admin/storage/sort
POST /admin/storage/{storageId}/compatibility_readme/{status}
POST /admin/storage/{storageId}/disable
POST /admin/storage/{storageId}/enable
POST /admin/user/copy
POST /admin/user/disable/{id}
POST /admin/user/enable/{id}
POST /admin/user/saveOrUpdate
POST /api/file/operator/delete/batch
POST /api/file/operator/mkdir
POST /api/file/operator/rename/file
POST /api/file/operator/rename/folder
POST /api/file/operator/upload/file
POST /api/file/operator/{action}/{type}
POST /api/install
POST /api/path-link/batch/generate
POST /api/short-link/batch/generate
POST /api/site/config/storage
POST /api/storage/file/item
POST /api/storage/files
POST /gd/drives
POST /onlyOffice/config/token
POST /s3/getBuckets
POST /s3/getCorsConfig
POST /sharepoint/getDomainPrefix
POST /sharepoint/getSiteId
POST /sharepoint/getSiteLists
POST /sharepoint/getSites
POST /user/login
POST /user/logout
POST /user/updatePwd
PUT /admin/config/access
PUT /admin/config/link
PUT /admin/config/security
PUT /admin/config/site
PUT /admin/config/view
PUT /file/upload/{storageKey}/**
PUT /user/resetAdminPassword

Found on 2025-11-07 08:48

Create report

Open service 240d:c010:77:2::d9:443 · www.liminalily.com

2026-01-25 09:00

HTTP/1.1 200 OK
Server: nginx/1.28.0
Content-Type: text/html; charset=UTF-8
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Connection: close
Date: Sun, 25 Jan 2026 09:01:05 GMT
EO-LOG-UUID: 3693591880120755442
EO-Cache-Status: MISS
NEL: {"success_fraction":0.1,"report_to":"eo-nel","max_age":604800}
Report-To: {"endpoints":[{"url":"https://nel.teo-rum.com/eo-cgi/nel"}],"group":"eo-nel","max_age":604800}

Found 2026-01-25 by HttpPlugin

Create report

Open service 43.174.246.38:443 · www.liminalily.com

2026-01-25 09:00

HTTP/1.1 200 OK
Server: nginx/1.28.0
Content-Type: text/html; charset=UTF-8
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Connection: close
Date: Sun, 25 Jan 2026 09:01:05 GMT
EO-LOG-UUID: 8971377265289695604
EO-Cache-Status: MISS
NEL: {"success_fraction":0.1,"report_to":"eo-nel","max_age":604800}
Report-To: {"endpoints":[{"url":"https://nel.teo-rum.com/eo-cgi/nel"}],"group":"eo-nel","max_age":604800}

Found 2026-01-25 by HttpPlugin

Create report

Open service 43.174.247.38:443 · www.liminalily.com

2026-01-25 09:00

HTTP/1.1 200 OK
Server: nginx/1.28.0
Content-Type: text/html; charset=UTF-8
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Connection: close
Date: Sun, 25 Jan 2026 09:01:05 GMT
EO-LOG-UUID: 1915161206717788096
EO-Cache-Status: MISS
NEL: {"success_fraction":0.1,"report_to":"eo-nel","max_age":604800}
Report-To: {"endpoints":[{"url":"https://nel.teo-rum.com/eo-cgi/nel"}],"group":"eo-nel","max_age":604800}

Found 2026-01-25 by HttpPlugin

Create report

Open service 104.17.164.211:443 · www.liminalily.com

2026-01-23 00:18

HTTP/1.1 521 <none>
Date: Fri, 23 Jan 2026 00:18:43 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 15
Connection: close
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Referrer-Policy: same-origin
Server-Timing: cfEdge;dur=155,cfOrigin;dur=0
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 9c231d8c1bde9b34-FRA
alt-svc: h3=":443"; ma=86400


error code: 521

Found 2026-01-23 by HttpPlugin

Create report

.cdn.myqcloud.com.bldimg.com.geetest.com.jsbchina.cn.lof3.xyz.suyinwealth.combldimg.comgeetest.comjsbchina.cnlof3.xyzsuyinwealth.comcdn.myqcloud.com

Fingerprint:

f6f3654daf9d3a6aaac9c41a1b747e9464ee1fc0281f64b8a6734018fda1d125

CN:

*.cdn.myqcloud.com

Key:

RSA-2048

Issuer:

TrustAsia DV TLS RSA CA 2025

Not before:

2025-05-23 00:00

Not after:

2026-06-10 23:59

www.liminalily.com

Fingerprint:

0ed95fa07f5a6209aaf3e1296c88c7064b08825ed9295319843f79ebecb77f1d

CN:

www.liminalily.com

Key:

ECDSA-256

Issuer:

WE1

Not before:

2025-11-04 16:39

Not after:

2026-02-02 17:39

Domain summary

www.liminalily.com 5

1 recorded

IP summary

240d:c010:77:2::d9 1 43.174.246.38 1 43.174.247.38 1 104.17.164.211 1

4 recorded

Domain www.liminalily.com

Singapore

Software information

Swagger API description is publicly available

Swagger API description is publicly available

Create report

Create report

Create report

Create report

*.cdn.myqcloud.com*.bldimg.com*.geetest.com*.jsbchina.cn*.lof3.xyz*.suyinwealth.combldimg.comgeetest.comjsbchina.cnlof3.xyzsuyinwealth.comcdn.myqcloud.com

www.liminalily.com

Domain summary

IP summary

.cdn.myqcloud.com.bldimg.com.geetest.com.jsbchina.cn.lof3.xyz.suyinwealth.combldimg.comgeetest.comjsbchina.cnlof3.xyzsuyinwealth.comcdn.myqcloud.com