How to fix Shadow API Exposure
in .NET 8 Web API
Executive Summary
Shadow APIs are the silent killers of enterprise perimeters. In .NET 8, they manifest as undocumented endpoints, legacy controllers, or dev-only routes leaking into production. Stop spraying and praying with generic mapping. You need surgical precision to ensure only the intended surface area is reachable. If you aren't auditing your endpoint metadata, you're hosting a playground for attackers.
The Vulnerable Pattern
var builder = WebApplication.CreateBuilder(args); builder.Services.AddControllers(); builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen();var app = builder.Build();
// VULNERABILITY: Swagger/OpenAPI exposed in production reveals the entire attack surface app.UseSwagger(); app.UseSwaggerUI();
// VULNERABILITY: Blindly mapping all controllers, including legacy or internal ones app.MapControllers();
app.Run();
The Secure Implementation
The exploit vector for Shadow APIs is discovery. The secure implementation mitigates this by: 1. Environment Guarding: Ensuring Swagger/OpenAPI JSON is unreachable in production, preventing automated schema scraping. 2. Explicit Grouping: Using 'MapGroup' to apply global security policies (like RequireAuthorization) across all registered routes. 3. Metadata Stripping: Using 'ExcludeFromDescription()' to hide sensitive utility endpoints from any generated documentation that might leak. 4. Strict Routing: Moving away from 'MapControllers' in favor of explicit endpoint mapping where possible to maintain a 'Least Privilege' surface area.
var builder = WebApplication.CreateBuilder(args); builder.Services.AddControllers();var app = builder.Build();
// FIX: Strictly limit API documentation to local/dev environments if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); }
// FIX: Use Endpoint Routing with explicit authorization and versioned groups var apiGroup = app.MapGroup(“/api/v1”) .RequireAuthorization() // Default deny .WithOpenApi();
app.MapControllers();
// FIX: Explicitly exclude internal/health endpoints from the public discovery app.MapGet(“/internal/status”, () => Results.Ok()) .ExcludeFromDescription() .AllowAnonymous();
app.Run();
Your .NET 8 Web API API
might be exposed to Shadow API Exposure
74% of .NET 8 Web API apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.