{"name":"Vulnerable Test API","version":"1.0.0","endpoints":["GET /health","GET /debug","POST /auth/login","POST /auth/register","GET /users","GET /users/:id","GET /search?q=","GET /echo?message=","GET /fetch?url=","POST /orders","GET /orders/:id","DELETE /admin/users/:id","GET /admin/stats","GET /files?path=","POST /xml","POST /auth/reset-password","GET /protected","GET /products","GET /products/:id","PUT /products/:id"],"auth_prefixes":{"bearer":"/bearer/* (Authorization: Bearer <token>)","basic":"/basic/* (Authorization: Basic <base64>)","apikey":"/apikey/* (X-API-Key header)","oauth2":"/oauth2/api/* (OAuth2 Bearer token from POST /oauth2/token)"},"oob_note":"OOB middleware active on all paths: URL-like params (url, redirect, callback, etc.) are fetched server-side, XML entities are resolved, command-like params (cmd, exec, etc.) have URLs extracted and fetched"}