In practice aren't such services behind a reverse proxy/WAF? The other day I found an endpoint in the wild outputting a DB table. I tried fuzzing it to gather more evidence of a SQL injection vuln but my attempts were flagged by AWS WAF.