M01 Missing Authentication

What this means

SiteShadow flagged a route/handler that appears to perform a sensitive action or return sensitive data without requiring a logged-in user (or a trusted service identity).

Why it matters

• Public data exposure: user records, internal documents, invoices, logs.
• Abusable actions: password resets, admin operations, destructive endpoints.
• Easy to exploit: attackers don't need an account—just a URL.

Safer examples

1) Add an auth guard/middleware

app.get("/account", requireAuth, async (req, res) => {
  res.json(await getAccount(req.user.id));
});

2) Separate public vs. private routes

• Keep public endpoints in a clearly labeled router/module.
• Make "private" the default in your app wiring (opt-in public, not opt-in private).

3) Return 401/403 consistently

Avoid "soft auth" patterns that return partial data when user is missing.

How SiteShadow detects it (high level)

• Identifies sensitive routes (by path patterns, returned data types, and called operations).
• Checks whether a recognized auth check is present (middleware/decorators/guards).
• Flags handlers that reference req.user / currentUser without enforcing it.

References

• CWE-306: https://cwe.mitre.org/data/definitions/306.html

---

← Back to Vulnerability Library