During testing, I discovered that the test environment's Swagger UI at https://[test-api-domain]/swagger/index.html is fully accessible to anyone on the internet without any authentication. This endpoint returns a complete OpenAPI/Swagger specification containing all API endpoints, request/response schemas, data models, and internal architecture details.

Three vulnerabilities, one target. From injecting malicious configs into Swagger UI to hijacking an abandoned subdomain and bypassing API auth with a single header — here's how I found them and why they matter.