November 24, 2020

You’ve heard of password stuffing, now get ready for endpoint stuffing (Strangest “attack” on my companies servers I’ve seen)

A single clientIp hit one of our endpoints with a brute force dictionary attack. To what end, I have no idea.
Among the 2500 requests they sent over a 20 second period, they sent some very weird ones


As well as some that make it look like they’re just trying to discover real endpoints to call, such as


Here’s the full list (none of these are valid requests)

And all of our actual endpoints under item/v5 are all supposed to be consumer facing, so they’re not going to discover anything they’re not supposed to be able to access anyway.

Only practical purpose I can guess is they are testing if they’ll get rate limited.



>… they’re not going to discover anything they’re not supposed to be able to access anyway.

That’s what they’re testing for – trying to find any undocumented API routes to probe further at.

Edit: Looks like a pretty standard/unspecialized dictionary, most likely pulled from a directory buster (examples: they checked for `item/v5/wp-admin`, `item/v5/wp-content`, etc.). Weaksauce recon, I rate it 2/10.


This looks like [Dirbuster]( output.


Check out Imperva if you haven’t already. 10/10 highly recommended as a web application firewall!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.