From 1df539defb69df5b229f7b606a9125aac120d91d Mon Sep 17 00:00:00 2001
From: mkrs2404 <kumarmohit2496@gmail.com>
Date: Thu, 12 Mar 2026 16:48:30 +0530
Subject: [PATCH] explain how misconfigurations work

---
 .../list-enumeration-misconfigurations.mdx    | 24 +++++++++++++++----
 cloud/integrations.mdx                        |  4 ++++
 openapi.yaml                                  |  6 ++---
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/api-reference/enumerations/list-enumeration-misconfigurations.mdx b/api-reference/enumerations/list-enumeration-misconfigurations.mdx
index 6e8997a..c714837 100644
--- a/api-reference/enumerations/list-enumeration-misconfigurations.mdx
+++ b/api-reference/enumerations/list-enumeration-misconfigurations.mdx
@@ -6,8 +6,24 @@ openapi: get /v1/asset/enumerate/misconfiguration
 
 | Type | Description |
 |---|---|
-| `dangling_dns` | DNS records pointing to resources that no longer exist, potentially vulnerable to subdomain takeover |
-| `origin_exposure` | Backend origin IPs exposed behind CDN or proxy services |
+| `dangling_dns` | AWS Elastic IPs that no longer exist, leaving DNS records vulnerable to subdomain takeover |
+| `origin_exposure` | Cloudflare-proxied origin IPs independently discoverable through other hostnames |
+
+### AWS Dangling DNS
+
+A dangling DNS finding is reported when a DNS record points to an AWS Elastic IP that no longer exists, making it potentially vulnerable to subdomain takeover. Requires an AWS cloud integration.
+
+### Cloudflare Origin IP Exposure
+
+When a domain is proxied through Cloudflare, its origin server IP is hidden behind Cloudflare's network. An origin exposure finding indicates that this origin IP is independently discoverable through another hostname that resolves to it directly, without going through Cloudflare.
+
+This finding requires two things:
+
+1. **A Cloudflare cloud integration** — This allows us to read your DNS records and identify which hostnames are proxied and what origin IPs they point to.
+
+2. **Asset inventory** — Hostnames and their resolved IPs from your attack surface discovery. The check runs against your entire inventory, excluding assets sourced from cloud integrations.
+
+When a hostname from your inventory resolves to the same IP as the origin behind one of your proxied Cloudflare records, it is flagged as an origin exposure finding.
 
 ### Event Details by Finding Type
 
@@ -24,8 +40,8 @@ The `event` object contains type-specific details:
 | Field | Description |
 |---|---|
 | `origin_ip` | The exposed origin server IP |
-| `provider` | CDN provider (e.g., CloudFlare) |
-| `leaking_hosts` | Hostnames leaking the origin IP |
+| `provider` | CDN provider (e.g., Cloudflare) |
+| `leaking_hosts` | The hostnames from your inventory that resolve directly to the origin IP |
 
 ## Example Requests
 
diff --git a/cloud/integrations.mdx b/cloud/integrations.mdx
index 483926f..c8576b3 100644
--- a/cloud/integrations.mdx
+++ b/cloud/integrations.mdx
@@ -1785,6 +1785,10 @@ Supported Cloudflare Services:
 
 - DNS and CDN assets
 
+<Note>
+  Connecting a Cloudflare integration also enables **origin IP exposure** detection under [Misconfigurations](/api-reference/enumerations/list-enumeration-misconfigurations). When a hostname from your asset inventory resolves to the same IP as the origin behind one of your proxied Cloudflare records, it is flagged as an origin exposure finding.
+</Note>
+
 **Cloudflare Integration Methods:**
 
 You can integrate Cloudflare into ProjectDiscovery via one of two methods:
diff --git a/openapi.yaml b/openapi.yaml
index 97ce071..145fc7e 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -13959,7 +13959,7 @@ paths:
     get:
       summary: List Misconfiguration Findings
       description: >-
-        Retrieve infrastructure misconfiguration findings discovered during asset enumeration, such as dangling DNS records and origin IP exposures.
+        Retrieve infrastructure misconfiguration findings discovered during asset enumeration. Currently detects AWS dangling DNS (Elastic IPs that no longer exist) and Cloudflare origin IP exposure.
       tags: []
       responses:
         '200':
@@ -18561,7 +18561,7 @@ components:
           enum:
             - dangling_dns
             - origin_exposure
-          description: Type of infrastructure misconfiguration
+          description: 'Type of misconfiguration: dangling_dns (AWS Elastic IP no longer exists) or origin_exposure (Cloudflare origin IP leaked)'
         host:
           type: string
           description: The affected hostname or domain
@@ -18590,7 +18590,7 @@ components:
         event:
           type: object
           additionalProperties: true
-          description: 'Type-specific finding details. For dangling_dns: host, ip, provider. For origin_exposure: provider, origin_ip, leaking_hosts.'
+          description: 'Type-specific finding details. For dangling_dns: host, ip, provider (AWS). For origin_exposure: provider (Cloudflare), origin_ip, leaking_hosts.'
         created_at:
           type: string
           format: date