UPDATE:
OWASP just updated the Top 10 list.
Check out this in-depth post to learn everything about the new OWASP Top 10 2021.
Discover OWASP Top 10 2021
What is Security Misconfiguration?
Improper server or web application configuration leading to various flaws:
- Debugging enabled.
- Incorrect folder permissions.
- Using default accounts or passwords.
- Setup/Configuration pages enabled.
All of your data could be stolen or modified slowly over time.
Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.
Security Misconfiguration examples
Example #1: The app server admin console is automatically installed and not removed
Default accounts are not changed.
Risk
- Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
Example #2: Directory listing is not disabled on your server
Risk
- Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. They then find a serious access control flaw in your application.
Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws
Risk
- Attackers love the extra information error messages provide.
Example #4: App server comes with sample applications that are not removed from your production server
Risk
- These sample applications have well-known security flaws attackers can use to compromise your server.
