Security Misconfiguration

OWASP Top 10 - A6

What is Security Misconfiguration?

Improper server or web application configuration leading to various flaws:

  • Debugging enabled.
  • Incorrect folder permissions.
  • Using default accounts or passwords.
  • Setup/Configuration pages enabled.

All of your data could be stolen or modified slowly over time.

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.

Security Misconfiguration examples

Example #1: The app server admin console is automatically installed and not removed

Default accounts are not changed.


  • Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

Example #2: Directory listing is not disabled on your server


  • Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. They then find a serious access control flaw in your application.

Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws


  • Attackers love the extra information error messages provide.

Example #4: App server comes with sample applications that are not removed from your production server


  • These sample applications have well-known security flaws attackers can use to compromise your server.

How to prevent Security Misconfiguration

The principle of least privilege: Everything off by default.

  • Disable administration interfaces.
  • Disable debugging.
  • Disable use of default accounts/passwords.
  • Configure server to prevent unauthorized access, directory listing, etc.
  • Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.

How Hdiv protects against A6 risk

Risk Covered

  • Hdiv flow control reinforces any existing ACL system, preventing an attempt to access invalid resources.
Since 2008 in productionSINCE 2008IN PRODUCTION
more than 128 countriesMORE THAN 128COUNTRIES
Fortune 500 companiesFORTUNE 500COMPANIES



The 7 Key Factors to Successful DevSecOps

Download Now


Hdiv Detection (IAST) for Developers



The Best Protection Against OWASP Top 10 Risks



Agile protection: above and beyond the WAF

Read More