Endpoints Catalog
Demo Site - Comprehensive Endpoint Catalog
This document provides a complete list of all API endpoints used across the 18+ industry-specific attack scenarios for the Chimera WAF Demo Tool. These endpoints can be implemented in a companion demo site to provide realistic targets for WAF testing. The list was compiled based on rules and attack scenario requests.
Quick Stats
- Total Endpoints: 469 unique endpoints (verified against the live route table via
just docs-drift) - Industries Covered: Banking, Insurance, E-commerce, Healthcare, Cloud-Native, ICS/OT
- Attack Categories: 20+ different attack vector types
- Scenarios: 20+ comprehensive attack scenarios (including Blue Team defensive operations)
Banking & Financial Services Endpoints
Account Management & Authentication
GET /banking/login # Banking portal entry
GET /api/v1/auth/methods # Authentication methods discovery
POST /api/v1/auth/login # Primary login endpoint
POST /api/v1/auth/forgot-password # Password reset functionality
POST /api/v1/auth/refresh # Token refresh endpoint
POST /api/v1/auth/verify-mfa # Multi-factor authentication
POST /api/v1/device/register # Device binding and registration
GET /api/v1/accounts/balance # Account balance inquiry
GET /api/v1/accounts/list # Account enumeration
POST /api/v1/auth/api-keys # API key management
Testing Headers: Authorization: Bearer <token>, X-Forwarded-For, X-Real-IP
Mobile Banking Specific
GET /api/mobile/v2/config/app-settings # Mobile app configuration
GET /api/mobile/v2/auth/biometric/supported-methods # Biometric methods
OPTIONS /api/mobile/device/register # Device registration discovery
POST /api/mobile/device/fingerprint # Device fingerprinting
GET /api/mobile/v2/security/certificate-validation # Certificate pinning
POST /api/mobile/v2/security/integrity-check # Root/jailbreak detection
POST /api/mobile/v2/auth/biometric/verify # Biometric bypass attempts
POST /api/mobile/v2/auth/session/transfer # Session hijacking
POST /api/mobile/notifications/register-token # Push notification interception
GET /api/mobile/v2/admin/customer-accounts/list # Admin function access
PUT /api/mobile/v2/accounts/limits/override # Banking limits override
POST /api/mobile/device/trust/permanent # Persistent device trust
GET /api/mobile/v2/customers/bulk-export # Customer data extraction
POST /api/mobile/v2/transfers/instant # Fraudulent transfers
PUT /api/mobile/v2/transactions/history/modify # Transaction tampering
Payment Processing
POST /api/payments/process # Primary payment processing
POST /api/cards/validate # Card validation endpoint
POST /api/merchant/onboard # Merchant onboarding
GET /api/payments/bin-ranges # BIN range testing
POST /api/payments/test # Card testing endpoint
POST /api/payments/authorize # Payment authorization
POST /api/payments/capture # Payment capture
GET /api/merchant/transactions # Transaction history
POST /api/payments/refund # Refund processing
GET /api/payments/gateway/status # Gateway status check
POST /api/merchant/accounts/create # Merchant account creation
GET /api/payments/fraud-rules # Fraud detection rules
POST /api/payments/bulk-process # Bulk payment processing
GET /api/cards/data/export # Card data extraction
PUT /api/merchant/limits/override # Merchant limit bypass
Transfers & Transactions
POST /api/v1/transfers/wire # Wire transfers
POST /api/v1/transfers/initiate # Transfer initiation
PUT /api/v1/transactions/123456/modify # Transaction modification
GET /api/v1/customers/export # Customer data export
POST /api/refund/request # Refund requests
Regulatory & Compliance
GET /api/compliance/aml/monitor # AML monitoring
POST /api/transactions/split # Transaction splitting
POST /api/reporting/sar # Suspicious Activity Reports
POST /api/kyc/verify # Know Your Customer verification
GET /api/compliance/rules # Compliance rules discovery
PUT /api/compliance/override # Compliance override
GET /api/audit/trails # Audit trail access
POST /api/reporting/ctr # Currency Transaction Reports
GET /api/sanctions/check # Sanctions screening
POST /api/compliance/exemptions # Compliance exemptions
PUT /api/audit/logs/modify # Audit log manipulation
GET /api/regulatory/export # Regulatory data export
POST /api/compliance/backdoor # Compliance backdoor
GET /api/investigations/cases # Investigation case access
POST /api/compliance/violations/suppress # Violation suppression
Attack Scenario: Regulatory Compliance Evasion
- Reconnaissance:
/api/compliance/infrastructure/status,/api/compliance/aml/.well-known/endpoints - Exploitation: Transaction splitting, AML monitoring bypass, SAR suppression
- Defense Evasion: Audit trail corruption, transaction obfuscation
- Persistence:
/api/compliance/system/maintenance/installbackdoor
Testing Headers: X-Override-Reason, X-Audit-Source, X-Batch-Processing: enabled
User-Agents: ComplianceBot/2.1 (Financial Audit Scanner), KYC-TestClient/3.2, AML-ExceptionHandler/2.3
Insurance Industry Endpoints
Claims Processing
GET /claims/portal # Claims portal entry
POST /api/claims/submit # Claims submission
GET /api/claims/endpoints # API discovery
GET /api/claims/history # Claims history
POST /api/claims/photos/upload # Photo evidence upload
POST /api/claims/bulk-export # Bulk claims export
PUT /api/claims/POL-123456789/status # Claims status modification
POST /api/claims/duplicate # Duplicate claims
GET /api/claims/fraud-indicators # Fraud detection bypass
POST /api/claims/expedite # Claims processing bypass
PUT /api/claims/amounts/inflate # Claims amount manipulation
GET /api/customers/export # Customer data extraction
POST /api/payments/process # Claims payment processing
Policy & Underwriting Management
GET /api/policies/search # Policy search
PUT /api/policies/POL-123456789/limits # Policy limits modification
POST /api/underwriting/risk-assessment # Risk assessment
GET /api/actuarial/data # Actuarial data access
POST /api/premiums/calculate # Premium calculation
PUT /api/policies/coverage-limits # Coverage limit manipulation
GET /api/underwriting/rules # Underwriting rules discovery
POST /api/underwriting/override # Underwriting override
GET /api/policies/pricing-models # Pricing model access
PUT /api/actuarial/models/modify # Actuarial model tampering
GET /api/risk/factors # Risk factor enumeration
POST /api/policies/backdoor # Policy backdoor creation
GET /api/underwriting/export # Underwriting data export
PUT /api/risk/scores/manipulate # Risk score manipulation
POST /api/policies/bulk-modify # Bulk policy modification
Attack Scenario: Insurance Underwriting Manipulation
- Reconnaissance:
/api/underwriting/system/info,/api/underwriting/risk-models/list,/api/premiums/calculate/debug-info - Weaponization: Risk score simulation, actuarial data poisoning
- Exploitation: Bulk risk manipulation, model corruption, policy falsification
- Defense Evasion: Audit evasion via
/api/underwriting/audit/evasion - Persistence:
/api/underwriting/system/backdoor/install
Testing Headers: X-Override-Reason, X-Debug-Level: detailed, X-Stealth-Mode: enabled
User-Agents: RiskSimulator/2.8, ActuarialContributor/1.9, PremiumOverride/2.7
Healthcare & Provider Management
POST /api/providers/register # Provider registration
GET /api/providers/relationships # Provider relationships
GET /api/hipaa/directory # Healthcare system discovery
GET /api/providers/network/search # Provider network enumeration
GET /api/medical/phi/endpoints # PHI access points
POST /api/providers/auth/login # Provider authentication
GET /api/hipaa/records/patient # Medical records access
POST /api/insurance/portability/transfer # Insurance portability manipulation
PUT /api/providers/network/billing # Provider billing abuse
POST /api/medical/prescriptions/create # Prescription fraud
GET /api/hipaa/export/bulk # Mass HIPAA data extraction
GET /api/medical/genetics/profiles # Genetic information theft
GET /api/medical/mental-health/sessions # Mental health records
POST /api/hipaa/transfer/encrypted # Data exfiltration
POST /api/hipaa/system/configuration # System backdoor
PUT /api/hipaa/audit-logs # Audit log manipulation
E-commerce & Retail Endpoints
Shopping Cart & Product Management
GET /api/system/version # Platform fingerprinting
GET /api/products/search # Product catalog discovery
GET /api/pricing/rules # Pricing engine rules
POST /api/cart/add # Cart manipulation
PUT /api/cart/update # Cart update with negative quantities
POST /api/pricing/calculate # Price calculation with race conditions
POST /api/inventory/reserve # Inventory reservation bypass
POST /api/inventory/check # Stock validation
POST /api/giftcards/apply # Gift card application abuse
PUT /api/shipping/calculate # Shipping cost evasion
POST /api/payment/methods/add # Payment method stacking
POST /api/admin/orders/override # Administrative order manipulation
POST /api/admin/users/create # Backdoor admin account creation
GET /api/customers/export # Customer data export (GDPR violation)
POST /api/loyalty/points/transfer # Loyalty manipulation
POST /api/webhooks/register # Webhook registration for persistence
Marketplace & Vendor Management
GET /api/vendors/marketplace # Marketplace discovery
GET /api/vendors/registration/requirements # Vendor registration requirements
POST /api/vendors/register # Fraudulent vendor registration
POST /api/vendors/documents/upload # Document forgery
POST /api/vendors/auth/takeover # Vendor account takeover
POST /api/products/listings # Product listing manipulation
POST /api/reviews/submit # Fake review injection
POST /api/ratings/bulk # Rating manipulation
POST /api/vendors/inventory/sabotage # Competitor sabotage
PUT /api/vendors/privileges/escalate # Vendor privilege escalation
POST /api/vendors/backdoor # Backdoor vendor account
GET /api/customers/payment-methods # Payment data harvesting
GET /api/vendors/financial/export # Vendor financial data export
POST /api/payments/redirect # Payment redirection attacks
Attack Scenario: Marketplace Vendor Impersonation
- Reconnaissance:
/api/vendors/registration-info,/api/vendors/profile-template - Exploitation: Fraudulent vendor registration, profile updates, admin backdoor creation
- Data Exfiltration: Customer transactions, competitor analytics, database export
- Privilege Escalation:
/api/vendors/admin/create-backdoor
Testing Headers: X-Admin-Override, X-Bulk-Operation, X-Include-Sensitive
Expected WAF Blocks: Admin privilege escalation, bulk operations, sensitive data requests
Checkout & Payment Processing
GET /api/checkout/methods # Checkout methods discovery
GET /api/payments/test-cards # Test card enumeration
POST /api/checkout/process # Checkout processing
POST /api/taxes/calculate # Tax calculation manipulation
POST /api/promotions/apply # Promotional code abuse
POST /api/discounts/stack # Discount stacking
PUT /api/shipping/address # Shipping address manipulation
POST /api/payments/amount/manipulate # Payment amount manipulation
PUT /api/checkout/admin/override # Admin checkout override
POST /api/payments/methods/fraudulent # Fraudulent payment method
GET /api/transactions/export # Transaction data exfiltration
POST /api/checkout/backdoor # Checkout backdoor
GET /api/payments/gateway/bypass # Payment gateway bypass
PUT /api/currency/rates/manipulate # Currency manipulation
POST /api/checkout/audit/suppress # Audit suppression
Attack Scenario: Checkout Process Exploitation
- Reconnaissance:
/api/checkout/steps,/api/checkout/payment-methods,/api/taxes/rates - Business Logic Bypass: Tax calculation, promotion validation, discount stacking
- Financial Manipulation: Payment validation bypass, currency conversion abuse
- Privilege Escalation:
/api/checkout/admin-override
Testing Headers: X-Override-Location, X-Override-Limits, X-Admin-Override
Attack Patterns: Parameter pollution, race conditions, workflow bypass
Loyalty & Customer Programs
GET /api/loyalty/program/details # Loyalty program discovery
GET /api/loyalty/points/exchange-rates # Point system analysis
GET /api/loyalty/tiers/requirements # Tier system discovery
POST /api/auth/register # Mass account creation
PUT /api/loyalty/points/redeem # Point manipulation
PUT /api/loyalty/tiers/status # Tier bypass
POST /api/referrals/system/reward # Referral abuse
POST /api/cashback/process # Cashback fraud
POST /api/loyalty/accounts/link # Multi-account coordination
GET /api/loyalty/rewards/gift-cards # Gift card exploitation
GET /api/loyalty/customers/export # Customer data harvest
GET /api/loyalty/transactions/export # Financial data exfiltration
POST /api/loyalty/system/configuration # System backdoor
PUT /api/loyalty/audit-logs # Evidence cleanup
Cloud-Native & API Infrastructure Endpoints
API Gateway & Microservices
GET /api/gateway/discovery # API gateway discovery
GET /api/gateway/routes # Route enumeration
POST /api/gateway/routes/poison # Route poisoning
GET /api/microservices/mesh # Service mesh discovery
POST /api/microservices/intercept # Service communication interception
GET /api/service-discovery # Service discovery exploitation
POST /api/containers/escape # Container escape attempts
GET /api/containers/registry # Container registry access
POST /api/rbac/impersonate # Service account impersonation
POST /api/pods/create # Malicious pod creation
GET /api/secrets/kubernetes # Kubernetes secrets access
POST /api/network/policies/bypass # Network policy bypass
GET /api/monitoring/metrics # Metrics extraction
POST /api/gateway/backdoor # API gateway backdoor
PUT /api/configurations/tamper # Configuration tampering
Third-Party Integrations
GET /api/integrations/discovery # Integration discovery
GET /api/oauth/authorize # OAuth authorization manipulation
POST /api/oauth/token/forge # OAuth token forgery
GET /api/saml/metadata # SAML metadata discovery
POST /api/saml/sso # SAML SSO manipulation
POST /api/webhooks/callback # Webhook callback hijacking
POST /api/integrations/third-party # Third-party integration abuse
GET /api/integrations/payment/webhook # Payment webhook manipulation
POST /api/integrations/cdn/invalidate # CDN cache poisoning
GET /api/integrations/social/callback # Social login callback abuse
POST /api/integrations/email/webhook # Email service webhook hijack
GET /api/integrations/analytics/data # Analytics data theft
POST /api/integrations/crm/sync # CRM synchronization abuse
POST /api/integrations/backdoor # Integration backdoor
GET /api/integrations/export # Integration data export
Advanced Persistent Threat (APT) Endpoints
Reconnaissance & Intelligence Gathering
GET /api/recon/advanced # Advanced reconnaissance
GET /api/infrastructure/mapping # Infrastructure mapping
POST /api/intelligence/gather # Intelligence collection
GET /api/employees/directory # Employee enumeration
GET /api/technologies/stack # Technology stack discovery
POST /api/social/engineering # Social engineering attacks
GET /api/network/topology # Network topology mapping
POST /api/vulnerabilities/scan # Vulnerability scanning
Lateral Movement & Persistence
POST /api/lateral/movement # Lateral movement techniques
POST /api/privilege/escalation # Privilege escalation
GET /api/credentials/harvest # Credential harvesting
POST /api/persistence/establish # Persistence establishment
GET /api/network/shares # Network share enumeration
POST /api/backdoors/install # Backdoor installation
GET /api/domain/admin/impersonate # Domain admin impersonation
POST /api/certificates/forge # Certificate forgery
Evasion & Cleanup
POST /api/compliance/bypass # Compliance system bypass
PUT /api/audit/trails # Audit trail manipulation
POST /api/logs/deletion # Log deletion
GET /api/security/monitoring/bypass # Security monitoring evasion
POST /api/forensics/anti # Anti-forensics techniques
PUT /api/timestamps/modify # Timestamp manipulation
POST /api/evidence/destroy # Evidence destruction
GET /api/incident/response/disrupt # Incident response disruption
Command & Control
POST /api/coordination # Multi-vector coordination
GET /api/exfiltration/channels # Data exfiltration channels
POST /api/data/collect # Data collection and staging
GET /api/communication/covert # Covert communication channels
POST /api/commands/execute # Remote command execution
GET /api/targets/high-value # High-value target identification
POST /api/operations/coordinate # Operation coordination
GET /api/mission/objectives # Mission objective tracking
ICS/OT (Industrial Control Systems) Endpoints
SCADA & Industrial Systems
GET /api/ics/scada/systems # SCADA systems inventory
POST /api/plc/commands/send # PLC command injection
GET /api/ot/devices/inventory # OT device discovery
PUT /api/ics/setpoints/modify # Industrial setpoint tampering
POST /api/ot/protocols/modbus # Modbus protocol operations
GET /api/ics/hmi/interfaces # HMI interface enumeration
POST /api/ot/safety/bypass # Safety system bypass
PUT /api/ics/schedules/manipulate # Production schedule manipulation
GET /api/ics/controllers/status # DCS/PAC controller status
POST /api/ot/network/segment # OT network segmentation abuse
Attack Scenario: Industrial Control System Compromise
- Reconnaissance:
/api/ics/scada/systems,/api/ot/devices/inventory,/api/ics/hmi/interfaces - Initial Access: Exploiting weak HMI authentication, Modbus protocol vulnerabilities
- Execution: PLC command injection, setpoint manipulation, safety system bypass
- Impact: Production disruption, quality degradation, safety incidents
- Persistence: Schedule manipulation, firmware backdoors
Testing Headers: X-SCADA-Protocol: Modbus-TCP, X-PLC-Address, X-Device-Type: RTU
User-Agents: SCADAClient/3.2, ModbusScanner/1.8, ICS-Toolkit/2.5
Expected WAF Blocks: PLC command injection, safety bypass attempts, unauthorized setpoint changes
Blue Team Defensive Operations
Incident Response & Security Operations
POST /api/network/policies/restore # Network policy restoration
POST /api/incidents/create # Incident record creation
GET /api/threats/indicators # Threat intelligence IOCs
POST /api/remediation/apply # Security remediation application
PUT /api/security/posture/harden # System hardening
GET /api/vulnerabilities/report # Vulnerability assessment
POST /api/patches/deploy # Security patch deployment
GET /api/compliance/status # Compliance posture check
POST /api/security/alerts/acknowledge # Security alert acknowledgment
GET /api/defense/metrics # Defensive metrics dashboard
Defensive Scenario: Incident Response Workflow
- Detection:
/api/security/alerts/acknowledge,/api/threats/indicators - Analysis:
/api/vulnerabilities/report,/api/compliance/status - Containment:
/api/network/policies/restore,/api/security/posture/harden - Remediation:
/api/remediation/apply,/api/patches/deploy - Recovery:
/api/incidents/create,/api/defense/metrics
Testing Headers: X-SOC-Analyst, X-Incident-ID, X-Playbook-Step
User-Agents: SIEM-Integration/2.1, SOAR-Platform/3.5, ThreatHunter/1.9
WAF Validation: Ensure defensive endpoints are NOT blocked by WAF rules
Attack Testing Reference
Common Attack Headers
E-commerce & Marketplace Headers
X-Forwarded-For- IP spoofingX-Real-IP- Alternative IP spoofingX-Admin-Override- Privilege escalation attemptsX-Bulk-Operation- Bulk operation bypassX-Override-Location- Location/jurisdiction bypassX-Override-Limits- Rate/business limit bypassX-Include-Sensitive- Data exfiltration enhancementAuthorization: Bearer- Token-based attacksContent-Type- Various content types for bypass attempts
Financial Services Headers
Authorization: Bearer <token_type>_token- Various token typesX-Override-Reason: <business_justification>- Compliance override attemptsX-Audit-Source: <scanner_type>- Audit system bypassX-Batch-Processing: enabled- Batch operation exploitationX-Debug-Level: detailed- Debug information harvestingX-Stealth-Mode: enabled- Detection evasion
Common User-Agent Patterns
Financial Services
ComplianceBot/2.1 (Financial Audit Scanner)KYC-TestClient/3.2TransactionAnalyzer/2.5AML-ExceptionHandler/2.3RiskSimulator/2.8ActuarialContributor/1.9PremiumOverride/2.7
Key Attack Patterns by Industry
E-commerce Attack Patterns
- Business Logic Bypass - Manipulating workflow and validation
- Parameter Pollution - Duplicate/conflicting parameters
- Privilege Escalation - Admin/elevated access attempts
- Data Exfiltration - Sensitive information harvesting
- Financial Manipulation - Payment, tax, discount abuse
- Identity Impersonation - Account takeover and fraud
- Rate Limit Bypass - Bulk operations and header spoofing
- Persistence - Backdoor creation and persistent access
Financial Services Attack Patterns
- Regulatory Compliance Evasion - AML/KYC bypass, transaction splitting
- Audit Trail Manipulation - Log corruption, timestamp modification
- Transaction Manipulation - Splitting, obfuscation, history tampering
- Reporting Suppression - SAR/CTR suppression, violation hiding
- Data Exfiltration - Compliance data, customer information export
- System Persistence - Backdoor installation in compliance systems
Insurance Attack Patterns
- Risk Assessment Manipulation - Risk score tampering, model corruption
- Actuarial Data Poisoning - False data contribution, model updates
- Premium Calculation Bypass - Override mechanisms, debug exploitation
- Coverage Limit Manipulation - Policy record falsification
- Underwriting Override - Bulk modifications, audit evasion
- Claims Fraud - Duplicate claims, amount inflation, evidence forgery
Expected Response Patterns
Success Responses (200)
{
"status": "success",
"operation_id": "op_12345",
"timestamp": "2024-12-26T10:30:00Z",
"message": "Operation completed successfully"
}
Authentication Failures (401/403)
{
"error": "authentication_required",
"message": "Valid authorization token required",
"error_code": "AUTH_401"
}
Validation Errors (422)
{
"error": "validation_failed",
"details": {
"field": "risk_score",
"message": "Value out of acceptable range"
},
"error_code": "VAL_422"
}
Rate Limiting (429)
{
"error": "rate_limit_exceeded",
"retry_after": 60,
"message": "Too many requests. Please retry after 60 seconds"
}
Implementation Guidelines for Demo Site
Priority Levels for Implementation
🔴 High Priority (Implement First)
- Banking authentication and transfer endpoints
- E-commerce cart and payment endpoints
- Insurance claims and policy endpoints
- Basic API gateway and OAuth endpoints
🟡 Medium Priority (Phase 2)
- Mobile banking specific endpoints
- Healthcare and HIPAA endpoints
- Advanced loyalty program endpoints
- Microservices and container endpoints
🟢 Low Priority (Phase 3)
- APT and advanced evasion endpoints
- Compliance bypass endpoints
- Forensics and cleanup endpoints
- Advanced integration endpoints
Security Considerations for Demo Site
- Sandboxed Environment: Ensure all endpoints are isolated and cannot affect real systems
- Rate Limiting: Implement realistic rate limiting to demonstrate WAF capabilities
- Logging: Comprehensive logging for attack demonstration and analysis
- Data Safety: Use fake/synthetic data only - no real PII, financial data, or health records
- Network Isolation: Deploy in isolated network environment
- Monitoring: Real-time monitoring and alerting for demonstration purposes
Response Patterns
Each endpoint should support:
- Successful responses (for reconnaissance phases)
- Security blocking responses (for WAF demonstration)
- Error conditions (for realistic error handling)
- Authentication challenges (for auth flow testing)
- Rate limiting responses (for abuse detection testing)
Conclusion
This comprehensive endpoint catalog provides 469 unique API endpoints across 20+ industry-specific attack scenarios, including both offensive and defensive operations. The endpoints are designed to:
- Demonstrate Real Attack Patterns: Each endpoint represents actual attack vectors seen in banking, insurance, e-commerce, cloud, and industrial environments
- Enable Comprehensive WAF Testing: Cover all major attack categories, techniques, and defensive responses
- Support Industry Demos: Provide relevant scenarios for specific customer verticals including critical infrastructure (ICS/OT)
- Scale Implementation: Organized by priority for phased deployment
- Blue Team Operations: Validate that legitimate defensive operations are not blocked while attacks are caught
Implementation Status
- ✅ 100% Complete: All planned endpoints implemented in Flask API
- ✅ 18+ Categories: Banking, E-commerce, Insurance, Healthcare, Cloud, ICS/OT, Blue Team, APT
- ✅ 243 Total Routes: Comprehensive coverage across offensive and defensive scenarios
The demo site implementing these endpoints provides a powerful platform for demonstrating Chimera WAF capabilities across diverse industry use cases, attack scenarios, and defensive operations.