ODINT
← Back to Cyber Tours

SRI JSONWS API

SRI (Ecuador Tax Authority) — Liferay JSONWS API Dump

Summary

URL: https://www.sri.gob.ec/api/jsonws Method: Unauthenticated GET request to publicly exposed API catalog

Ecuador's Internal Revenue Service (SRI) — the tax authority handling tax records, income data, and PII for ~18 million citizens — exposes its entire Liferay JSONWS backend API catalog without authentication.

The catalog reveals hundreds of service methods across 40+ service classes including:

  • User management (create, update, delete users)
  • Organization management
  • Document Library (file upload/download/move/delete)
  • Export/Import operations
  • Permission management
  • Role management
  • Group management
  • Layout/Page management
  • Staging operations
  • Password policy management
  • And much more

While individual method calls may require authentication tokens, the complete API catalog is a roadmap for any attacker — they know exactly what endpoints exist, what parameters they accept, and what operations are possible.

Full Service Class Catalog

1. AnnouncementsDelivery

  • update-delivery (4 params: long, String, boolean, boolean)
  • update-delivery (5 params: long, String, boolean, boolean, boolean)

2. AnnouncementsEntry

  • update-entry (17 params)
  • update-entry (8 params)
  • delete-entry (long)
  • add-entry (10 params)
  • add-entry (20 params)
  • get-entry (long)

3. AnnouncementsFlag

  • get-flag (long, int)
  • add-flag (long, int)
  • delete-flag (long)

4. AssetCategory (18 methods)

  • get-vocabulary-categories-display (multiple variants)
  • search-categories-display (multiple variants)
  • add-category (multiple variants)
  • delete-categories (multiple variants)
  • get-vocabulary-root-categories-count
  • get-child-categories (multiple variants)
  • update-category
  • move-category
  • delete-category
  • get-category-path
  • get-vocabulary-root-categories
  • get-child-categories-count
  • get-categories (multiple variants)
  • fetch-category
  • get-vocabulary-categories (multiple variants)
  • get-categories-count
  • get-vocabulary-categories-count (multiple variants)
  • get-category
  • search (multiple variants)

5. AssetCategoryProperty (5 methods)

  • get-category-properties
  • get-category-property-values
  • update-category-property (multiple variants)
  • add-category-property
  • delete-category-property

6. AssetEntry (8 methods)

  • get-entries-count
  • increment-view-counter (multiple variants)
  • get-company-entries (multiple variants)
  • get-company-entries-count
  • update-entry (multiple variants)
  • fetch-entry
  • get-entries
  • get-entry (multiple variants)

7. AssetTag (14 methods)

  • get-tags-count (multiple variants)
  • get-visible-assets-tags-count (multiple variants)
  • get-group-tags-count
  • delete-tags
  • update-tag
  • get-group-tags (multiple variants)
  • delete-tag
  • merge-tags (multiple variants)
  • get-group-tags-display
  • get-groups-tags
  • get-tag
  • search (multiple variants)
  • get-tags (multiple variants)
  • add-tag

8. AssetVocabulary (12 methods)

  • add-vocabulary (multiple variants)
  • get-vocabularies
  • update-vocabulary
  • get-group-vocabularies-count (multiple variants)
  • get-group-vocabularies-display (multiple variants)
  • delete-vocabulary
  • get-company-vocabularies
  • delete-vocabularies
  • search-vocabularies-display (multiple variants)
  • fetch-vocabulary
  • get-group-vocabularies (multiple variants)
  • get-vocabulary

9. DLApp — Document Library Application (50+ methods)

CRITICAL — Full document management API

  • add-file-entry (multiple variants)
  • delete-file-entry
  • delete-file-entry-by-title
  • get-file-entry (multiple variants)
  • get-file-entry-by-uuid-and-group-id
  • get-file-entries (multiple variants)
  • get-file-entries-count (multiple variants)
  • get-group-file-entries (multiple variants)
  • move-file-entry
  • update-file-entry (multiple variants)
  • check-out-file-entry (multiple variants)
  • check-in-file-entry (multiple variants)
  • cancel-check-out
  • revert-file-entry
  • add-folder
  • delete-folder (multiple variants)
  • get-folder (multiple variants)
  • get-folders (multiple variants)
  • move-folder
  • copy-folder
  • update-folder
  • get-folders-count (multiple variants)
  • get-mount-folders (multiple variants)
  • lock-folder (multiple variants)
  • unlock-folder (multiple variants)
  • add-file-shortcut
  • delete-file-shortcut
  • get-file-shortcut
  • update-file-shortcut
  • add-temp-file-entry
  • delete-temp-file-entry
  • get-temp-file-names
  • search (multiple variants)
  • verify-file-entry-lock
  • verify-file-entry-check-out
  • verify-inheritable-lock
  • refresh-file-entry-lock
  • refresh-folder-lock
  • subscribe-file-entry-type
  • unsubscribe-file-entry-type
  • subscribe-folder
  • unsubscribe-folder

10. DLFileEntry (25+ methods)

  • Similar to DLApp but lower-level file operations
  • Includes: fetch-file-entry-by-image-id, copy-file-entry, get-file-entry-lock, has-file-entry-lock, is-file-entry-checked-out, update-status

11. DLFileEntryType (9 methods)

  • CRUD operations for file entry types

12. DLFileShortcut (5 methods)

  • File shortcut management

13. DLFileVersion (4 methods)

  • File versioning

14. DLFolder (20+ methods)

  • Full folder management API

15. DLTrash (9 methods)

  • Trash/recycle bin operations for files and folders

16. ExpandoColumn (5 methods)

  • Custom field column management

17. ExpandoValue (4 methods)

  • Custom field value operations including get-json-data

18. ExportImport (10 methods)

HIGH RISK — Data export/import operations

  • export-layouts-as-file (multiple variants)
  • export-layouts-as-file-in-background
  • export-portlet-info-as-file
  • export-portlet-info-as-file-in-background
  • import-layouts (multiple variants)
  • import-layouts-in-background
  • import-portlet-info
  • import-portlet-info-in-background
  • validate-import-layouts-file
  • validate-import-portlet-info

19. ExportImportConfiguration (3 methods)

  • delete, move-to-trash, restore-from-trash

20. Staging (7 methods)

  • publish-staging-request, validate, clean-up, update, create, has-remote-layout, propagate-lifecycle-event

21. Address (5 methods)

  • Physical address CRUD

22. ClassName (2 methods)

  • Class name lookups

23. Company (12 methods)

HIGH RISK — Company/organization management

  • get-companies, get-company-by-id, get-company-by-virtual-host, get-company-by-web-id, get-company-by-mx, get-company-by-logo-id
  • update-company (multiple variants), update-preferences, update-display, update-logo, delete-logo, remove-preferences

24. Contact (5 methods)

  • get-company-contacts, get-company-contacts-count, get-contacts, get-contacts-count, get-contact

25. Country (9 methods)

  • Country code lookups (likely returns without auth)

26. EmailAddress (6 methods)

HIGH RISK — Email address management

  • add, delete, fetch, get, update

27. Group (20+ methods)

HIGH RISK — Group/site management

  • add-group, delete-group, update-group, get-groups, search
  • get-user-sites-groups, get-user-organizations-groups, get-organizations-groups
  • enable-staging, disable-staging, check-remote-staging-group

28. Image (1 method)

  • get-image

29. Layout (25+ methods)

  • Full page/layout management API

30. LayoutBranch (3 methods)

31. LayoutPrototype (6 methods)

32. LayoutRevision (1 method)

33. LayoutSet (7 methods)

34. LayoutSetBranch (5 methods)

35. LayoutSetPrototype (6 methods)

36. ListType (3 methods)

37. MembershipRequest (4 methods)

38. Organization (14+ methods)

HIGH RISK — Organizational hierarchy

  • get-organizations (multiple variants), get-organizations-count, get-organization, fetch-organization
  • add-organization, delete-organization, update-organization
  • get-user-organizations, add-group-organizations, set-group-organizations

39. OrgLabor (5 methods)

40. PasswordPolicy (6 methods)

41. Permission (1 method) — check-permission

42. Phone (5 methods)

43. PluginSetting (1 method)

44. Portal (2 methods)

  • get-version — returns Liferay portal version
  • get-build-number — returns build number

45. PortletPreferences (1 method)

46. Region (4 methods)

47. Repository (6 methods)

  • Full repository management

48. ResourceBlock (10 methods)

  • Permission scope management (individual, group, company levels)

Risk Assessment

This is the tax authority for 18 million Ecuadorian citizens. The exposed API catalog reveals:

  1. Complete document management system (50+ methods) — if any auth bypass exists, every tax document is accessible
  2. User/organization management endpoints — enumerate all users, organizations, groups
  3. Export/Import functionality — bulk data export capabilities
  4. Email address management — CRUD on email addresses
  5. Company/contact management — organizational data
  6. Permission system — understand and potentially manipulate access controls

Even without working authentication, this catalog is an attacker's dream — it eliminates the reconnaissance phase entirely and provides a precise map of every available attack surface.

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms