保護DataHogo
Security Encyclopedia/OWASP Web Top 10
mediumCWE-16A05:2021

Security Misconfiguration

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

How It Works

Security misconfiguration is one of the most common vulnerabilities. It includes leaving debug mode enabled in production, using permissive CORS (Access-Control-Allow-Origin: *), exposing stack traces in error responses, keeping default credentials, or leaving unnecessary features enabled. Attackers probe for these misconfigurations automatically using scanning tools.

Vulnerable Code
const app = express();
app.use(cors({ origin: '*' }));
app.use((err, req, res, next) => {
  res.status(500).json({ error: err.stack });
});
Secure Code
const app = express();
app.use(cors({ origin: 'https://myapp.com' }));
app.use((err, req, res, next) => {
  console.error(err);
  res.status(500).json({ error: 'Internal server error' });
});

Real-World Example

In 2017, the Equifax breach that exposed 147 million records was caused partly by an unpatched Apache Struts vulnerability combined with misconfigured network security that allowed lateral movement.

How to Prevent It

  • Restrict CORS to specific trusted origins
  • Never expose stack traces or debug info in production
  • Use environment-specific configurations
  • Regularly audit your security settings

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Injection (SQL, NoSQL, Command)

critical

Attacker inserts malicious code into queries or commands by exploiting unsanitized user input — SQL injection, NoSQL injection, and OS command injection.

CWE-89A03:2021