← Attack Surface Lab

Dead Code

Functions never called, conditions never met — but the server endpoints are live. These patterns test whether the analyzer reads code that will never execute at runtime.

01

Never-called function with prompt gate

Two functions defined but never called from anywhere on the page. Even if a dynamic crawler found them, a prompt() dialog blocks execution. A static analyzer ignores runtime guards and reads the endpoint directly.

Client-side JavaScript moderation.js 
var api = "/api/moderation/";

function remove(params) {
  if (prompt("Enter 'yes' to remove") !== "yes")
    return;
  $.post(api + "remove", params);
}

function removeByID(id) {
  remove({ ident: id });
}
SolidPoint discovered
SolidPoint UI showing discovered POST /api/moderation/remove endpoint
02

Conditional on undefined global variable

Cache purge code is wrapped inside if (window.ADMIN_MODE). The variable ADMIN_MODE is never defined anywhere in the application — the block never executes.

Client-side JavaScript cacheManager.js 
if (window.ADMIN_MODE) {
  var cacheApi = '/api/cache/';

  function purgeCache(key) {
    var url = cacheApi + 'purge';
    if (key) {
      url += '?key=' + encodeURIComponent(key);
    }
    fetch(url, { method: 'DELETE' });
  }
}
SolidPoint discovered
SolidPoint UI showing discovered DELETE /api/cache/purge endpoint
03

Inside if (false) block

Debug panel code is wrapped in if (false). The condition is always false — the code never runs. The analyzer ignores the statically false condition and extracts the endpoint regardless.

Client-side JavaScript debugPanel.js 
const DEBUG_ENABLED = false;

if (DEBUG_ENABLED) {
  const debugForm = document.getElementById('debug-form');

  if (debugForm) {
    debugForm.addEventListener('submit', (e) => {
      e.preventDefault();
      const input = document.getElementById('debug-input');

      fetch('/api/debug/execute', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ command: input.value })
      });
    });
  }
}
SolidPoint discovered
SolidPoint UI showing discovered POST /api/debug/execute endpoint
04

URL assembled across multiple never-called functions

The endpoint URL never appears as a single string literal. It is reconstructed from a global variable and two function return values via string concatenation. None of the functions are ever called.

Client-side JavaScript reportExporter.js 
const reportBase = '/api/';
const getReportModule = () => 'internal';
const getReportAction = () => 'export';

const buildReportURL = () =>
  reportBase + getReportModule() + '/' + getReportAction();

const generateReport = async (format) => {
  const url = buildReportURL();
  await fetch(url, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ format })
  });
};
SolidPoint discovered
SolidPoint UI showing discovered POST /api/internal/export endpoint
05

Two endpoints from conditional branching

One fetch() call, one if/else branch, two different URLs. The analyzer models both branches of the conditional and produces two separate endpoint discoveries.

Client-side JavaScript reportScheduler.js 
const reportsBase = '/api/reports';

const fetchReport = (period) => {
  let url;
  if (period === 'daily') {
    url = reportsBase + '/daily';
  } else {
    url = reportsBase + '/weekly';
  }

  fetch(url, {
    method: 'GET',
    headers: { 'Accept': 'application/json' }
  });
};
SolidPoint discovered
SolidPoint UI showing discovered GET /api/reports/daily endpoint SolidPoint UI showing discovered GET /api/reports/weekly endpoint

Start boosting your App Security testing today with us today

Try for free Get a demo