An attacker searches for and invokes Web Services APIs that the target
						system designers did not intend to be publicly available. If these APIs fail
						to authenticate requests the attacker may be able to invoke services and/or
						gain privileges they are not authorized for.