@shinyaz

AWS Security Agent pentest can't discover endpoints without HTML links

1 min read
#aws#security-agent#penetration-testing#security

Discovered this while testing Security Agent against a GraphQL API. When GET / returned {"graphql_endpoint": "/graphql"} as JSON, the agent never accessed /graphql. Providing schema documentation via documents or explicitly setting the endpoint URL to http://<host>/graphql didn't help either — 0 findings in all cases.

After changing / to an HTML page with <a href="/graphql"> and adding a <form method="POST" action="/graphql">, the agent discovered /graphql, sent 3,601 POST requests, and reported 8 findings.

The SCANNER appears to crawl via HTML <a> tags and form actions. It didn't parse JSON values to navigate to linked endpoints. This applies beyond GraphQL — any API-only backend (e.g. SPA backends) likely needs a temporary HTML entry point for effective testing.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more