{"id":96201,"date":"2024-06-18T16:31:25","date_gmt":"2024-06-18T16:31:25","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=learn&p=96201"},"modified":"2025-12-17T16:01:56","modified_gmt":"2025-12-17T14:01:56","slug":"shadow-zombie-apis-the-undocumented-api-vulnerabilities-threaten-security-posture","status":"publish","type":"learn","link":"https:\/\/checkmarx.com\/learn\/api-security\/shadow-zombie-apis-undocumented-api-vulnerabilities-threaten-security-posture\/","title":{"rendered":"Shadow & Zombie APIs: The Undocumented API Vulnerabilities Threaten Security Posture"},"content":{"rendered":"
\n
\n
\n

Zombies and Shadows \u2013 The Dark Side of APIs<\/span><\/h2>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
\n

Are zombies and shadows lurking in your environment? They sound like something from a horror movie, but for digital innovators, they are very real and scary. These undocumented application programming interfaces (APIs) are proof that in the land of software development, what you can\u2019t see can hurt you<\/a>.<\/p>\n

APIs are the backbone of web communication today, and the result is an explosion of hidden shadow APIs and zombie APIs that are almost impossible to keep track of. Without a unique approach to API security management<\/a> to hunt them down and restrain them, they can be developers\u2019 and security teams\u2019 worst nightmares.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n
\n

Why Shadow And Zombie APIs Are Dangerous<\/h2>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
\n

So what are documented vs undocumented APIs and why is this aspect of API protection often overlooked? API documentation files, like RAML files, Swagger files, or OpenAPI files, describe what an API is, what it looks like, where it lives, and what parameters it has.<\/p>\n

This information is extremely important for AppSec teams to create security controls that protect them. Each API should be properly documented and updated any time changes happen, which in coding and development is all the time. The number of APIs grows by the day, and APIs come in and out of use very often. They aren\u2019t always updated, or even documented in the first place. It\u2019s easy to see why communication gaps between development and security teams set the stage for serious API security vulnerabilities.<\/p>\n

Let\u2019s unmask the mystery behind these specific types of hidden APIs:<\/p>\n

What Are Shadow APIs<\/h3>\n

Shadow APIs<\/strong>: When developers build APIs, they don\u2019t always inform the AppSec team and the interface goes live without documentation. The API could have been used in a proof of concept and was forgotten about when the project was fast-tracked to production. Or the API was quickly spun up to meet an urgent business need. These shadow APIs are built outside of official processes and governance controls and remain unprotected.<\/p>\n

What Are Zombie APIs<\/h3>\n

 Zombie APIs<\/strong>: Sometimes an API is developed and deployed with an application, but it\u2019s never actually used \u2014 it\u2019s basically a useless functionality that is only serving to expand the attack surface. Other times, developers build a new version of the same API but don\u2019t decommission it right away. Instead, the API runs with the older API as a backup in case any issues arise. Over time, more traffic is sent to the new one until the old one becomes unnecessary and defunct, but developers forget to decommission it.<\/p>\n

APIs that are left unchecked and undocumented quickly turn into API sprawl, leaving the door wide open to API security threats, such as:<\/p>\n