GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Slim

Shadow APIs are unauthorized or undocumented endpoints that bypass security controls. In the Slim framework, this typically occurs when developers use dynamic route dispatching or generic catch-all patterns that map URI segments directly to class methods. To a researcher, this is a goldmine for IDOR and RCE. To fix it, you must move from dynamic, implicit routing to an explicit, white-listed architecture.

The Vulnerable Pattern

$app->any('/api/{controller}/{method}', function ($request, $response, $args) {
    $controllerClass = "\\App\\Controllers\\" . ucfirst($args['controller']);
    $method = $args['method'];
    // DANGER: Dynamic instantiation and method calling allows attackers to invoke 
    // any method on any class within the namespace, including internal helpers.
    $controller = new $controllerClass();
    return $controller->$method($request, $response);
});

The Secure Implementation

The vulnerable code implements a 'Dynamic Dispatch' pattern. This exposes every public method in your controller directory as a shadow API. An attacker can fuzz method names like 'deleteConfig' or 'internalDebug' to bypass intended logic. The secure implementation uses explicit routing: each URI is mapped to a specific method. By using Route Groups, we apply a mandatory Authentication Middleware to the entire block, ensuring no endpoint is exposed without a handshake. Finally, we handle the NotFoundException to prevent leaking system information via default error pages.

$app->group('/api/v1', function (RouteCollectorProxy $group) {
    // Explicitly define every route. No wildcards for controllers.
    $group->get('/users/{id:[0-9]+}', \App\Controllers\UserController::class . ':show');
    $group->post('/users', \App\Controllers\UserController::class . ':create');
})->add(new \App\Middleware\AuthMiddleware());

// 404 handler for undocumented paths
$errorMiddleware = $app->addErrorMiddleware(false, true, true);
$errorMiddleware->setErrorHandler(
Slim\Exception\HttpNotFoundException::class,
function ($request, $exception) {
return new Slim\Psr7\Response(404);
}
);

System Alert • ID: 5689
Target: Slim API
Potential Vulnerability

Your Slim API might be exposed to Shadow API Exposure

74% of Slim apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X