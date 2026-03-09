Every now and then, something completely mundane sneaks up on you and delivers a security lesson you were not looking for.
For me, it started with something embarrassingly ordinary: I needed to export a list of event attendees. Nothing exciting. No red team engagement. No late-night incident call. Just a very normal “can I please get this into a CSV?” moment.
The problem was the UI. Infinite scroll. No export button. Which meant I either scrolled until my fingers fell off … or I took a look at what the application was actually doing behind the scenes.
You can probably guess which option I chose.
The moment I opened browser developer tools, the task stopped being about exporting a list and turned into a clean, real-world example of something we talk about constantly in incident response (IR): the real security boundary of modern applications isn’t the UI, it’s whatever the backend trusts after authentication.
Once I looked at the network traffic, the architecture revealed itself immediately:
There was nothing magical about the UI. It was simply replaying the same authorized API request with different pagination tokens as I scrolled. Once you see that, the solution becomes obvious: script the same requests, walk the pagination and dump the results.
Just automating the exact workflow the browser was already performing on my behalf.
And that is when it clicked: this is exactly how attackers think.
Not in terms of screens and buttons, but in terms of what the backend will accept from an authenticated client.
This is something we say all the time in security, but it’s easy to forget in practice: the UI is a suggestion; the API is the truth.
Attackers don’t care that you intended users to scroll slowly. They don’t care that you didn’t include an export button. They don’t care about your “intended workflow” at all.
They care about one thing: what the backend will trust.
And the browser? From an attacker’s perspective, it’s just a pre-built, fully authorized API client they didn’t even have to write.
That’s why so many real-world incidents end up looking like:
Once authentication is complete, the problem stops being about identity and starts being about trust. And trust is where most organizations get blindsided.
This tiny export task ended up being a perfect reminder of how incident responders should be framing modern investigations.
First, focus on API behavior, not UI actions. If the API allowed something, arguing that “the UI would not do that” is beside the point.
Second, treat session abuse as full compromise. If an attacker can replay a session token, they are the user. End of discussion.
Third, ask better questions during scoping. Not “Would a user click this?” but:
Those questions surface the truth much faster than debating UI intent.
Finally, do harmless exercises like this more often. There is no better way to sharpen attacker intuition than automating something you’re legitimately allowed to do and watching how the system behaves. It builds instinct in a way documentation never will.
I did not exploit anything. The application worked exactly as designed. That’s the part worth sitting with.
Because attackers rely on the same reality: if you can safely replay an authenticated API call, someone will eventually replay it unsafely.
After authentication, everything becomes the real perimeter, and most defenses still aren’t built around that truth.
A handful of modern controls could have either broken this behavior outright or made it obvious something unusual was happening:
And the most important one: never treating the UI as a security boundary. Defenders who think in UI terms will always lag behind attackers who think in API terms.
Mapped to MITRE ATT&CK, this lives squarely in familiar territory: session theft, token replay, valid-account abuse, API misuse.
Mapped to NIST, it aligns just as cleanly: session binding, risk-based authentication, backend authorization and anomaly detection.
In other words, this isn’t theoretical. This is where modern compromise actually happens.
MITRE tells us how attackers abuse trust. NIST tells us where organizations are expected to manage it. This simple export task sat right in the middle.
The question is not, “Did MFA work?” The real question is, “What did the backend trust after MFA succeeded?” That is the perimeter now.
The sooner incident response treats it that way, the better we’ll be at detecting, and containing, what actually matters.
MITRE ATT&CK TTPs and NIST Control Alignment
|Area
|MITRE ATT&CK Technique
|Description (IR Context)
|NIST Reference
|Session Abuse
|T1550 — Use Alternate Authentication Material
|Reuse of valid session cookies or tokens instead of credentials
|NIST SP 800-63B §7 (Session Management)
|Session Theft
|T1539 — Steal Web Session Cookie
|Theft and replay of browser session cookies
|NIST CSF PR.AC-1
|Valid Account Abuse
|T1078 — Valid Accounts
|Abuse of legitimate user access post-authentication
|NIST CSF PR.AC-4
|API Abuse
|T1071 — Application Layer Protocol
|Use of legitimate application-layer protocols (HTTP/GraphQL)
|NIST CSF DE.CM-1
|Backend Enumeration
|T1213 — Data from Information Repositories
|Bulk access or enumeration of backend data via APIs
|NIST SP 800-53 AC-3
|Post-Auth MFA Bypass
|T1550.004 — Web Session Cookie
|Bypassing MFA by replaying authenticated session tokens
|NIST SP 800-63B §6 (Risk-Based Auth)
|Privilege Misuse
|T1068 — Exploitation for Privilege Escalation
|Backend authorization trusting UI behavior
|NIST CSF PR.AC-6
|Automation at Scale
|T1046 — Network Service Discovery (Conceptual)
|Automated enumeration patterns at scale
|NIST CSF DE.AE-1
|Data Exfiltration
|T1041 — Exfiltration Over C2 Channel (Logical)
|Large data transfer over legitimate channels
|NIST CSF DE.CM-7
|Monitoring Evasion
|T1562 — Impair Defenses (Implicit)
|Operating within “normal” auth flows to avoid alerts
|NIST CSF DE.AE-3
