M01 Missing Authentication

What this means

SiteShadow flagged a route/handler that appears to perform a sensitive action or return sensitive data without requiring a logged-in user (or a trusted service identity).

Why it matters

Public data exposure: user records, internal documents, invoices, logs.
Abusable actions: password resets, admin operations, destructive endpoints.
Easy to exploit: attackers don't need an account—just a URL.

Safer examples

1) Add an auth guard/middleware

app.get("/account", requireAuth, async (req, res) => {
  res.json(await getAccount(req.user.id));
});

2) Separate public vs. private routes

Keep public endpoints in a clearly labeled router/module.
Make "private" the default in your app wiring (opt-in public, not opt-in private).

3) Return 401/403 consistently

Avoid "soft auth" patterns that return partial data when user is missing.

How SiteShadow detects it (high level)

Identifies sensitive routes (by path patterns, returned data types, and called operations).
Checks whether a recognized auth check is present (middleware/decorators/guards).
Flags handlers that reference req.user / currentUser without enforcing it.

References

CWE-306: https://cwe.mitre.org/data/definitions/306.html

---

← Back to Vulnerability Library

Request access View coverage