← Attack Surface Lab

Auth-Gated Endpoints

Code loaded for all users but guarded by role checks and token validation. The endpoints execute only for authenticated or privileged users β€” but the JavaScript ships to everyone.

01

Admin role check hides UI functions

Two admin functions guarded by window.currentUser.role !== 'admin'. The check prevents execution for non-admin users, but the code β€” including endpoint URLs and parameter names β€” is in every user's browser.

Client-side JavaScript adminTools.js 
const adminApiBase = '/api/admin/users/';

const suspendUser = (userId, reason) => {
  const user = window.currentUser;
  if (!user || user.role !== 'admin') return;

  $.post(adminApiBase + 'suspend', {
    userId: userId,
    reason: reason
  });
};

const resetUserPassword = (userId) => {
  const user = window.currentUser;
  if (!user || user.role !== 'admin') return;

  $.post(adminApiBase + 'reset-password', {
    userId: userId
  });
};
SolidPoint discovered
SolidPoint UI showing discovered POST /api/admin/users/suspend endpoint SolidPoint UI showing discovered POST /api/admin/users/reset-password endpoint
02

localStorage token gate hides premium feature

Premium analytics are loaded only when localStorage.getItem('auth_token') returns a value. Without a valid session, the function returns early. The analyzer reads through the guard and discovers the endpoint β€” including the Authorization: Bearer header pattern.

Client-side JavaScript premiumFeatures.js 
const loadPremiumAnalytics = async () => {
  const token = localStorage.getItem('auth_token');
  if (!token) return;

  await fetch('/api/premium/analytics', {
    method: 'GET',
    headers: {
      'Authorization': 'Bearer ' + token,
      'Content-Type': 'application/json'
    }
  });
};

loadPremiumAnalytics();
SolidPoint discovered
SolidPoint UI showing discovered GET /api/premium/analytics endpoint

Start boosting your App Security testing today with us today

Try for free Get a demo