Skip to Content
Research with Our Labs
ReconnaissanceExposure SurfaceExposure Surface – Summary

Exposure Surface

Maps common exposed HTTP endpoints on a given domain – such as security contact files, API documentation, health/diagnostics probes, and debug/admin panels.
This module helps you quickly understand what is publicly reachable and where sensitive or high-risk endpoints might be exposed.

  • Probes a curated set of high-signal paths (e.g. /.well-known/security.txt, /swagger, /healthz, /metrics, /phpinfo.php, /.env, /admin, etc.).
  • Classifies each path into categories such as:
    • security_contact – security.txt / vulnerability-disclosure files.
    • api_docs – Swagger, OpenAPI, GraphQL UIs, API playgrounds.
    • diagnostics – health, readiness, metrics, actuator endpoints.
    • debug – phpinfo, debug toolbars, env/config dumps, admin consoles.
  • Records:
    • HTTP status code
    • Whether the endpoint is present
    • A status flag (OK, INFO, WARN, FAIL)
    • Human-readable notes with quick context.
  • Computes an overall_risk level and a list of key findings
    (e.g. debug endpoint /.env is exposed with status 200 (FAIL).).

Typical questions this helps answer

  • Which “well-known” or high-risk endpoints are exposed on this host?
    Quickly see if health checks, metrics, admin UIs, or debug pages are reachable from the internet.

  • Is there any obvious misconfiguration like an exposed .env or debug console?
    Flags endpoints that commonly leak secrets, configuration, or internal system details.

  • Do we publish a clear security contact (security.txt / disclosure policy)?
    Checks for security contact files under standard .well-known locations.

  • What should be prioritized in hardening or monitoring?
    Use the categorized output + findings as a shortlist for remediation work and alerting.

Usage

For request format, parameters, and examples, see the Endpoint page in this module.

  • Input: domain / origin (e.g. indonesia.go.id)
  • Method: HTTP GET
  • Output: JSON containing:
    • analysis.checks[] – per-path details (path, url, category, present, status_code, status, notes)
    • analysis.overall_risk – aggregated qualitative risk (e.g. HIGH)
    • analysis.findings[] – human-readable summary lines.

Notes

  • The wordlist focuses on high-value & common patterns rather than blind brute force.
  • A 404 on most debug/diagnostics paths is expected and reported as INFO.
    True issues usually appear as WARN / FAIL with present=true.
  • Treat the output as a starting point for manual verification, not a replacement for a full web app assessment.
Last updated on
Exposure Surface – EndpointForm & Input Map – Endpoint