Configuration gaps that turn safe software into an attacker's foothold.
Software is rarely insecure on its own. It becomes insecure when it's configured wrong. Misconfigurations sit between vulnerabilities (a flaw in the code) and exposure (the wrong service on the internet) — fully patched, fully expected to be online, but configured in a way that grants more access than intended.
What we detect
- Permissive CORS — wildcard Access-Control-Allow-Origin combined with credentials, allowing any site to read authenticated responses.
- Open redirects — endpoints that send users wherever the URL parameter says, the foundation of many phishing kill chains.
- Default credentials — admin/admin still set on the dev tool you stood up six months ago.
- Accessible admin endpoints — /admin, /actuator/env, /server-status, /metrics, /debug — that should be on a private network or behind auth.
- Misconfigured DNS records — wildcard delegations, dangling CNAMEs pointing at unclaimed services (the takeover kill chain).
- Exposed environment introspection — /env, /heapdump, /threaddump, Spring Boot Actuator endpoints leaking environment variables.
- Verb tampering and authentication-bypass header tricks that some web frameworks honour by default.
Why it matters
Misconfigurations are how breaches actually happen. The Capital One breach was a misconfigured WAF combined with an SSRF. The Equifax breach was an unpatched server, sure — but also a misconfigured certificate-inspection appliance that hid the exfiltration. The Codecov supply-chain attack started with a leaked credential and a misconfigured uploader script. The pattern is consistent: the patch was applied, the service was supposed to be online, but the configuration left a path through.
How Nano EASM detects it
The HTTP engine examines response headers and behaviour for misconfigured CORS, weak Set-Cookie attributes, dangerous redirect handling, and HTTP-method anomalies. The DNS engine analyses zone records for dangling CNAMEs and wildcard mistakes. The Nuclei engine carries hundreds of configuration-specific templates — default-credential checks for popular admin panels, well-known framework actuator endpoints, common debug/info endpoints. The subdomain-takeover analyser cross-references CNAMEs against a list of services where unclaimed targets are takeover-vulnerable.
Common scenarios
Spring Boot Actuator exposed in production
/actuator/env on a microservice subdomain returns the environment, including database credentials in plaintext. Nuclei matches the actuator template; finding lands as critical with the JSON evidence excerpted.
Dangling CNAME on a marketing subdomain
marketing.acme.com points at an old Heroku app that's been deleted. Anyone can register the Heroku name and serve content from that hostname. The DNS engine notices the CNAME target is unclaimed; the takeover analyser confirms by attempting fingerprint resolution.
CORS wildcard on the API
api.acme.com sets Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. The header analyser reports it; finding includes the request/response pair and a remediation note about which combinations are actually safe.
Try it free against your domain
Quick Scan runs the engines that surface misconfigurations findings, plus the rest of the platform's coverage. No signup, no credit card, real results in under a minute.