保護DataHogo
Security Encyclopedia/OWASP API Top 10
mediumCWE-16API8:2023

Security Misconfiguration (API)

APIs expose excessive information through open CORS policies, verbose error messages, missing security headers, or default configurations that were never hardened.

How It Works

API security misconfiguration covers a wide range of issues: permissive CORS headers allowing any origin, verbose error responses that leak stack traces and internal paths, missing TLS, default admin credentials, unnecessary HTTP methods enabled, and lack of security headers. These misconfigurations are often the result of using framework defaults in production. Attackers use automated scanners to probe for these issues at scale, gathering intelligence for more targeted attacks.

Vulnerable Code
const app = express();
app.use(cors());
app.use((err, req, res, next) => {
  res.status(500).json({
    error: err.message,
    stack: err.stack,
    query: req.query
  });
});
Secure Code
const app = express();
app.use(cors({ origin: process.env.ALLOWED_ORIGIN }));
app.use(helmet());
app.use((err, req, res, next) => {
  logger.error({ err, requestId: req.id });
  res.status(500).json({ error: 'Internal server error' });
});

Real-World Example

In 2022, Optus (Australia's second-largest telecom) exposed 9.8 million customer records through an API that had no authentication and was publicly accessible. The API endpoint was discoverable because error messages revealed internal paths and API structure.

How to Prevent It

  • Restrict CORS to specific trusted origins only
  • Return generic error messages — log details server-side
  • Use security headers middleware like Helmet.js
  • Disable unnecessary HTTP methods (TRACE, OPTIONS where not needed)

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023