CWE-1125 Excessive Attack Surface
What this means
SiteShadow flagged patterns that suggest your system exposes more entry points, capabilities, or privileges than necessary (extra endpoints, debug panels, broad permissions, unused features left enabled).
Why it matters
More exposed endpoints and permissions increase the likelihood of exploitable paths.
- More things to break: every endpoint, feature flag, and admin capability is another potential vulnerability.
- Forgotten features: old routes and debug tools are commonly unpatched and unmonitored.
- Broader compromise: over-privileged services turn small bugs into big incidents.
Safer examples
1) Disable or remove unused endpoints and features
Turn off debug routes, internal docs, admin consoles, and legacy APIs in production unless explicitly needed.
2) Put strong authz in front of privileged surfaces
Admin endpoints should be segregated, require step-up auth/MFA, and be network-restricted where possible.
3) Reduce privileges by default
Use least-privilege IAM/service accounts and narrow scopes; avoid "*" permissions (see CWE-276 / A01).
How SiteShadow detects it (high level)
- Detects exposed admin/debug surfaces, overly broad permissions, and "high-privilege by default" patterns.
- Flags endpoints and configs that expand reachable functionality without corresponding protections.
References
- CWE-1125: https://cwe.mitre.org/data/definitions/1125.html
---