Routing Slip
A shipment-tracking SaaS dashboard. The developer portal was wired up early in the project — and never trimmed for production.
The Scenario
Routing Slip aggregates carrier tracking events for e-commerce shops. Merchants paste a tracking number and see the parcel's progress across carriers without having to learn each one's API. The engineering team exposed a developer portal for their own integration partners, and the OpenAPI spec the portal points at is still served on the public origin.
Challenge Intel
Synopsis
A public OpenAPI document lists an internal operations endpoint with empty security, which returns the flag without auth.
What It Is
The Express server publishes /api/docs/openapi.json without authentication. The spec includes a path /_ops/echo with security: [] — an explicit opt-out from the spec's global Bearer auth. That path is mounted on the live server and, when hit without any credentials, returns the FLAG environment variable in its response body.
Who It's For
Players familiar with REST APIs and Swagger/OpenAPI who haven't yet practiced enumerating endpoints from a published spec.
Skills You'll Practice
- Locating unauthenticated /openapi.json or /swagger.json
- Reading paths + security overrides in an OpenAPI document
- Reaching endpoints not linked from any UI
What You'll Gain
- An intuition for treating API spec files as sensitive assets
- A real-world example of per-endpoint security overrides leaking
Ready to hack Routing Slip?
Upgrade to Pro to unlock this challenge and the full library.