Last week someone tried to copy my visa API's database. They didn't succeed — they got 0.6% of it before I cut the key — but the 251 requests they left behind are a near-perfect teaching case for what targeted API extraction actually looks like from the defender's side.
Here's the forensic walkthrough.
The target
One endpoint:
GET /api/v1/visa?from={passport}&to={destination}
It returns the visa rule for a passport→destination pair — visa type, allowed stay, conditions. The full matrix is ~39,585 pairs. That matrix is the product.
The evidence
The attacker's requests weren't spread across the map. They were a sweep, one passport at a time:
Passport
Destinations pulled
Coverage
🇦🇪 UAE (ARE)
195
~100% of that passport's matrix
🇦🇺 Australia (AUS)
53
~1/4, interrupted
🇨🇳 China (CHN)
2
test calls
249 unique pairs, near-zero duplicates. Whoever wrote this was methodical: validate that one full passport comes out
Discussion
Get the discussion rolling
A single comment can start something great.