GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in FuelPHP

Shadow APIs are the silent killers of enterprise perimeters. In FuelPHP, these typically manifest as undocumented REST controller methods or legacy routes that bypass modern auth filters. If an endpoint is reachable via the framework's auto-routing but isn't documented or protected, it's a shadow API. If it's reachable, it's exploitable.

The Vulnerable Pattern

class Controller_Api_User extends Controller_Rest {
    // Documented: Fetches public profile
    public function get_profile($id) {
        return $this->response(Model_User::find($id));
    }

// SHADOW ENDPOINT: Left by a dev for 'testing' and forgotten.
// No Auth, exposes internal system config via auto-routing.
public function get_debug_config() {
    return $this->response(Config::get('db.default.connection'));
}


}

The Secure Implementation

To eliminate Shadow API exposure in FuelPHP, follow the 'Deny by Default' principle. First, implement a hard `before()` hook in your `Controller_Rest` to enforce authentication across all methods. Second, disable FuelPHP's default auto-discovery by explicitly defining every valid API route in `APPPATH/config/routes.php`. This ensures that any 'forgotten' methods in your controllers remain unreachable. Finally, always whitelist returned fields from your Models; blindly passing a Model object to `response()` often leaks sensitive metadata or password hashes.

class Controller_Api_User extends Controller_Rest {
    protected $format = 'json';

public function before() {
    parent::before();
    // 1. Enforce Authentication globally for the controller
    if (!Auth::check()) {
        return $this->response(['error' => 'Unauthorized'], 401)->set_status(401);
    }
}

public function get_profile($id) {
    // 2. Data Filtering: Never dump the whole Model object
    $user = Model_User::find($id);
    return $this->response([
        'username' => $user->username,
        'bio' => $user->bio
    ]);
}

// 3. Shadow method removed. Use explicit routing in config/routes.php:
// return array('api/user/profile/:id' => 'api/user/profile/$1');


}

System Alert • ID: 2768
Target: FuelPHP API
Potential Vulnerability

Your FuelPHP API might be exposed to Shadow API Exposure

74% of FuelPHP apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X