Based on ESORICS 2023 & JISA 2024 Research

Attack Surface Lab

Your JavaScript bundles contain server endpoints no crawler will ever find. We built test applications to prove it.

SolidPoint uses static analysis of client-side JavaScript to discover server-side endpoints — no UI interaction, no dynamic crawling. This approach is based on research by the SolidPoint team, peer-reviewed and published at ESORICS 2023 Workshops. Below are four discoveries from purpose-built test applications. Each shows the client-side code pattern and what SolidPoint found from it.

01

Dead code

Functions never called from the UI — but the server endpoint is live. Dynamic crawlers have no UI path to trigger this code. A static analyzer reads it anyway.

See all 5 patterns →
Client-side JavaScript moderation.js 
var api = "/api/moderation/";

function remove(params) {
  if (prompt("Enter 'yes' to remove") !== "yes")
    return;
  $.post(api + "remove", params);
}

function removeByID(id) {
  remove({ ident: id });
}

// Neither function is ever called — dead code.
SolidPoint discovered
SolidPoint UI showing discovered endpoint POST /api/moderation/remove with parameter ident
02

Admin endpoint in every user's browser

A role check hides the admin UI, but the code ships to every user. The endpoint is one $.post() away. If a static analyzer finds it from the public bundle, an attacker can too.

See both patterns →
Client-side JavaScript adminTools.js 
const adminApiBase = '/api/admin/users/';

const suspendUser = (userId, reason) => {
  const user = window.currentUser;
  if (!user || user.role !== 'admin') return;

  $.post(adminApiBase + 'suspend', {
    userId: userId,
    reason: reason
  });
};

const resetUserPassword = (userId) => {
  const user = window.currentUser;
  if (!user || user.role !== 'admin') return;

  $.post(adminApiBase + 'reset-password', {
    userId: userId
  });
};
SolidPoint discovered
SolidPoint UI showing discovered endpoint POST /api/admin/users/reset-password with parameter userId
03

Class defined, never constructed

A prototype-based API client class is defined but never instantiated with new. No runtime execution means no requests. A static analyzer must track this.baseURL across prototype methods without ever running the code.

See all 8 patterns →
Client-side JavaScript analyticsClient.js 
function AnalyticsClient() {}

AnalyticsClient.prototype.init = function () {
  this.baseURL = '/api/analytics/';
};

AnalyticsClient.prototype.track = function (event, data) {
  fetch(this.baseURL + 'track', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ event: event, data: data })
  });
};

// Class defined but NEVER instantiated.
// No `new AnalyticsClient()` anywhere on the page.
SolidPoint discovered
SolidPoint UI showing discovered endpoint POST /api/analytics/track with parameters event and data
04

URL assembled across 5 functions — never exists as a string

Five functions use callbacks, global variable writes, and string concatenation to build a URL. The complete path /api/storage/buckets/archive/purge never appears as a literal anywhere in the code.

See all 7 patterns →
Client-side JavaScript storagePurgeComplex.js 
var archivePath = '';

function getStorageRoot() {
  return '/api/storage';
}

function buildBucketPath(callback) {
  var bucketPath = getStorageRoot() + '/buckets';
  callback(bucketPath);
}

function setArchivePath(base) {
  archivePath = base + '/archive';
}

function getPurgeUrl() {
  buildBucketPath(function(bp) {
    setArchivePath(bp);
  });
  return archivePath + '/purge';
}

function purgeArchive(bucketId) {
  fetch(getPurgeUrl(), {
    method: 'DELETE',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ bucketId })
  });
}
SolidPoint discovered
SolidPoint UI showing discovered endpoint DELETE /api/storage/buckets/archive/purge reconstructed from 5-level mixed call chain

All test applications are purpose-built with functional server endpoints, tied to research published by the SolidPoint team at ESORICS 2023 Workshops (Springer LNCS, vol. 14399) and in the Journal of Information Security and Applications (Elsevier, vol. 82, 2024).

Start boosting your App Security testing today with us today

Try for free Get a demo