Back to course

OWASP Top 10: Security Misconfigurations

Cyber Security Mastery: From Zero to Hero

A05:2021 - Security Misconfiguration

This broad category represents vulnerabilities arising from poor system hardening, unpatched systems, or unnecessary features being enabled.

Common Misconfigurations

  1. Default Credentials: Leaving default usernames and passwords enabled (e.g., 'admin'/'admin').
  2. Directory Listing: Web servers accidentally allowing users to browse the entire directory structure (exposing configuration files, source code, or backups).
  3. Unnecessary Services: Having non-essential services (like Telnet or FTP) running on the web server.
  4. Verbose Error Messages: Displaying sensitive system information (database connection strings, file paths, stack traces) to the user during an application error.
  5. Unpatched Systems: Running outdated web server software (Apache, Nginx) or OS versions.

Defense: Implement a strict hardening process (covered in Lesson 51), use automated configuration management, and ensure sensitive files are correctly restricted by file permissions.