Skip to content

CWE-668: Exposure of Resource to Wrong Sphere

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that resources intended for one security context were exposed to another. Evidence includes internal API endpoints accessible externally, development/debug interfaces reachable in production, or sensitive resources lacking proper access controls. Responses show resources (admin panels, internal APIs, debug endpoints) accessible from contexts where they should be restricted.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-668 typically indicate that resources were accessible outside their intended trust sphere, such as:

  • Internal or administrative resources reachable from external contexts
  • APIs intended for trusted networks accessible publicly
  • Data meant for one role or tenant visible to others
  • Environment- or role-restricted functionality exposed broadly

Evidence is based on observed runtime accessibility, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-668 does not map to a single vulnerable parameter or endpoint. The issue resides in how the application defines and enforces trust spheres for resources.

When tracing this issue in code and architecture, review:

  • How resources are classified by trust level (public, internal, admin)
  • Access boundaries between roles, tenants, or network zones
  • API exposure decisions made at design time
  • Deployment or routing rules that expose internal resources

Remediation

Core Principle: Never expose resources outside their intended trust sphere; resource visibility and accessibility must be explicitly defined and enforced by design, not inferred from request context.

→ For comprehensive remediation guidance, see Static CWE-668 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Verify Resource Scope Enforcement

  • Confirm resources are only accessible within their intended trust sphere
  • Ensure internal or privileged resources are not reachable externally

2. Test Edge Cases

  • Role changes and privilege boundaries
  • Tenant isolation boundaries
  • Alternate routing or deployment paths

Re-run DAST Scanner

Re-run the dynamic scanner to confirm unintended resource exposure is no longer observed.

Additional Resources