OWASP Security Misconfiguration

Security Misconfiguration is A05 in the OWASP Top 10. It covers a wide category: any security setting that was left at an insecure default, set incorrectly, or skipped entirely. This vulnerability is especially common because modern applications have many layers — web server, app server, framework, database, cloud storage, containers — and each one needs to be configured correctly.

The New Employee Analogy

A company gives a new hire an account with the default password Welcome123 and full admin access on day one. Nobody ever changes the password or adjusts the permissions. That is a misconfiguration — the setup that was fine as a starting point was never hardened for real use.

Common Misconfiguration Examples

Default Credentials

Software ships with default usernames and passwords. Attackers know these and try them first.

  Common default credentials found in production systems:
  admin / admin
  admin / password
  root / root
  sa / (empty)         -- Microsoft SQL Server
  tomcat / tomcat      -- Apache Tomcat manager

Open Cloud Storage Buckets

Cloud storage buckets (AWS S3, Google Cloud Storage, Azure Blob) default to private, but many developers accidentally set them to public during testing and forget to revert the setting.

  Exposed S3 bucket URL:
  https://company-backups.s3.amazonaws.com/

  Returns a directory listing of every file:
  - customer-database-2024.sql
  - private-keys.zip
  - staff-salaries.xlsx

Verbose Error Messages

Detailed error messages shown to users reveal stack traces, database versions, internal file paths, and framework names — a roadmap for attackers.

  Developer mode error (never show in production):
  com.mysql.jdbc.exceptions.jdbc4.CommunicationsException:
  Communications link failure
  at sun.reflect.NativeConstructorAccessorImpl ...
  Query: SELECT * FROM users WHERE id=5
  Database version: MySQL 5.7.34 on /var/lib/mysql

  Attacker now knows: database type, version, and query structure.

Unnecessary Services and Ports Open

A web server that also runs an FTP service, a database port exposed to the internet, or an SSH port with no IP restrictions — each open port is a potential entry point.

Missing Security Headers

HTTP security headers tell browsers how to behave. Missing headers leave users exposed to clickjacking, MIME sniffing, and other browser-based attacks.

  Important security headers often missing:
  X-Frame-Options: DENY                     -- Blocks clickjacking
  X-Content-Type-Options: nosniff           -- Blocks MIME sniffing
  Strict-Transport-Security: max-age=31536000  -- Forces HTTPS
  Content-Security-Policy: default-src 'self'  -- Controls script sources

Debug Mode Left On in Production

Frameworks like Django, Laravel, and Spring have a debug mode for development. Left on in production, it exposes stack traces, environment variables, and sometimes an interactive console to anyone who triggers an error.

Misconfiguration Attack Chain Example

  1. Attacker scans target domain with a port scanner
     Finds: Port 8080 open (Tomcat manager interface)

  2. Attacker visits: https://target.com:8080/manager/html
     Prompted for username and password

  3. Attacker tries: tomcat / tomcat
     -- Access granted (default credentials never changed)

  4. Attacker uploads a malicious WAR file through the manager
     -- Gets full code execution on the server

  5. Attacker installs a web shell for persistent access

How to Prevent Security Misconfiguration

1. Change All Default Credentials Immediately

The moment you install any software, change the default username and password before connecting it to any network.

2. Disable Unused Features and Services

Remove or disable every component, port, service, and feature that the application does not need. A smaller attack surface means fewer ways in.

3. Use Different Configurations for Each Environment

Development environments can have verbose logging and debugging. Production must have all of that disabled. Use environment variables or secrets managers to control configuration per environment.

4. Apply Security Headers

Use a checklist of security headers for every new project. Tools like securityheaders.com scan your site and show which headers are missing.

5. Automate Configuration Audits

Use infrastructure-as-code tools (Terraform, Ansible) with security policies baked in. Regular automated scans detect misconfigured cloud buckets, open ports, and outdated permissions.

6. Run a Minimal, Hardened Base Image

Start containers and virtual machines from hardened base images with only the required packages installed. Do not use general-purpose OS images with dozens of services pre-installed.

Quick Prevention Checklist

  [✓] Change all default credentials on installation
  [✓] Disable debug mode in production
  [✓] Close all ports and services not in use
  [✓] Set all required HTTP security headers
  [✓] Audit cloud storage bucket permissions
  [✓] Display generic error messages to end users

Key Takeaway

Security misconfiguration is the easiest category for attackers to exploit because the vulnerabilities are often simple oversights. A systematic hardening checklist applied to every new deployment catches most issues before attackers find them.

Previous lessons
Back to courses
Next lessons

Leave a Comment