Ghost APIs: Finding Leaked Swagger, GraphQL & Debug Endpoints
Ghost APIs: The Hidden Threat of Exposed Documentation
Ghost APIs are forgotten, misconfigured, or accidentally exposed API endpoints that leak sensitive information about your application. These "ghosts" haunt production servers, giving attackers a complete roadmap to your backend.
What Are Ghost APIs?
Ghost APIs include:
- Swagger/OpenAPI Documentation - Full API schema with all endpoints
- GraphQL Introspection - Complete type system and query structure
- Debug Endpoints - Stack traces, config dumps, profiling data
- Environment Files - \
.env\, \.env.local\, \config.json\ - Backup Files - \
.bak\, \.old\, \.backup\versions - Admin Panels - Forgotten \
/admin\, \/debug\, \/internal\routes
Common Exposed Endpoints
Attackers routinely probe for these paths:
API Documentation\\\
/swagger
/swagger-ui
/swagger.json
/swagger.yaml
/api-docs
/openapi.json
/redoc
\\\
\\\
/graphql
/graphiql
/altair
/playground
/api/graphql
\\\
\\\
/.env
/.env.local
/.env.production
/config.json
/settings.json
/debug
/trace
/actuator
/actuator/env
/actuator/health
\\\
\\\
/admin
/internal
/debug
/phpinfo.php
/server-status
/elmah.axd
/_profiler
\\\
Why Ghost APIs Are Dangerous
1. Complete API BlueprintSwagger documentation reveals every endpoint, parameter, and response format. Attackers don't need to guess - they have the full specification.
2. GraphQL IntrospectionA single introspection query exposes your entire schema:
\\\graphql
{
__schema {
types {
name
fields { name }
}
}
}
\\\
\.env\ files often contain:
- Database connection strings
- API keys for third-party services
- JWT secrets
- Admin passwords
Debug endpoints reveal:
- Server software versions
- Framework configurations
- Internal IP addresses
- Database schemas
Real Attack Scenarios
Swagger → Full Database Dump/swagger.json\/api/users/export\ endpointmakeAdmin(userId: ID!)\ mutation/actuator/env\How to Audit for Ghost APIs
Manual TestingTry common endpoints against your own domain:
- \
yourdomain.com/swagger\ - \
yourdomain.com/.env\ - \
yourdomain.com/graphql\
Ghost API Hunter is disabled until domain ownership verification and paid access are available. It does not run today.
For now, use the manual checks above and your internal tooling to validate your own systems.
Securing Your APIs
1. Remove Documentation in ProductionFor Express/Swagger:
\\\javascript
if (process.env.NODE_ENV !== 'production') {
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(specs));
}
\\\
For Apollo Server:
\\\javascript
const server = new ApolloServer({
introspection: process.env.NODE_ENV !== 'production',
playground: process.env.NODE_ENV !== 'production'
});
\\\
In nginx:
\\\nginx
location ~ /\\. {
deny all;
}
location ~* /(swagger|api-docs|graphiql|actuator) {
deny all;
}
\\\
If you must expose API docs, require authentication:
\\\javascript
app.use('/swagger', authMiddleware, swaggerUi.serve);
\\\
Never commit \.env\ files. Use:
- \
.gitignore\for all env files - Secret managers (AWS Secrets Manager, HashiCorp Vault)
- CI/CD environment variables
Spring Boot Actuator Warning
Spring Boot applications often expose dangerous actuator endpoints by default:
\\\
/actuator/env # All environment variables
/actuator/heapdump # Memory dump with secrets
/actuator/mappings # All URL mappings
\\\
\\\yaml
management:
endpoints:
web:
exposure:
include: health,info
endpoint:
env:
enabled: false
\\\
Prevention Checklist
- [ ] Remove/disable Swagger UI in production
- [ ] Disable GraphQL introspection
- [ ] Block \
/.*\paths in web server config - [ ] Audit all routes before deployment
- [ ] Use environment variables, not config files
- [ ] Enable authentication on debug endpoints
- [ ] Regular security audits with DomainOptic
Reduce Ghost API Risk
Don't let forgotten endpoints haunt your production environment. Use the checklist above, and run a DomainOptic security audit for SSL, DNS, and headers while you lock down API docs and debug routes.
Run Security Audit → Run a security audit