(no title)

You will be surprised. Do a "Inspect Element" and have fun filtering on "XHR requests". Notice that JSON that a lot of those requests return. but sshhhh, you didn't hear this from me.

With the move to client-side rendering, too many. The backend becomes dumber and dumber and all logic such as filtering data moves to the frontend. You'd be surprised what you can find poking around at APIs that client-side apps use.

Careful, son, you're quickly entering elite hacker turf.

The analogy is going up to a house and checking all the doors and windows to see if they are locked. That's rather like port scanning, a form of 'poking'. If you go to a state government web site and do that, even if you don't exfiltrate data or load it up with ransomware, it's definitely very shady behavior, although it seems there are no laws against it in the USA (some ISPs will ban users caught doing this however).

Obviously if you broke into someone's house and then asked them to pay you for your 'vuln discovery', err...

However, I think looking at HTML code on a public facing web page is not that. If you hang naked pictures of yourself on your front door, you don't get to complain when people take pictures of them.

1. https://www.calyptix.com/top-threats/port-scanning-legal-ans...

Last year, when a Nintendo Switch was difficult to come by, I found that a large retailer’s API returned exact stock counts (and even restock dates in some cases) for any physical store you wanted. Got a Switch for myself and a couple friends in an afternoon.