HATEOAS & Hypermedia Attacks

A "proper" REST API returns the links telling the client what it can do next. That is HATEOAS, and it quietly turns the response into a menu of actions. When the server decides which links to ship and the client follows them, two things break: servers leak privileged state-transition links to users who should never see them, and clients blindly follow server-supplied URLs into SSRF. How hypermedia controls work, where they break, and how to test them.