Intermediate Web — OWASP Top 10

Security Misconfiguration — Insecure Defaults and Exposed Settings

Security Misconfiguration is the most prevalent category in the OWASP Top 10. It requires no vulnerability in the code — a single wrong configuration is enough to expose the system. It typically results from rushed deployments, copying dev environments to production, or lack of hardening.

Debugging Enabled in Production

# Flask — NEVER in production
app.run(debug=True)

With debug on, errors display full stack traces, source code, and an interactive console. An attacker can execute Python code directly in the application.

// Stack trace exposes:
- Server file paths
- Environment variables
- Framework version and dependencies
- Internal application logic
# Correct — read from environment
DEBUG = os.getenv('DEBUG', 'false').lower() == 'true'

Default Credentials

Interfaces often forgotten with default passwords:
- phpMyAdmin: root / (no password)
- Apache Tomcat Manager: tomcat / tomcat, admin / admin
- Jenkins: admin / admin (older versions)
- MongoDB: no authentication by default (older versions)
- Elasticsearch: no authentication by default (< 6.8)
- Router admin: admin / admin, admin / password

Always change default credentials before exposing any service.

Directory Listing

// Apache/nginx with autoindex on — attacker sees all files
http://example.com/uploads/

Index of /uploads
  backup_2025-01.sql.gz
  config_old.php
  private_keys/
# nginx — disable directory listing (correct default)
autoindex off;

Missing Security Headers

// Scanner: curl -I https://example.com

Frequently absent:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), microphone=()
Content-Security-Policy: default-src 'self'

Unnecessary Ports and Services Exposed

# Quick check (on your own server)
nmap -sV -p- 192.168.1.100

# Concerning result on a web server:
PORT      STATE  SERVICE    VERSION
22/tcp    open   ssh        OpenSSH 7.4
80/tcp    open   http
443/tcp   open   https
3306/tcp  open   mysql      MySQL 8.0     # database publicly exposed
6379/tcp  open   redis      Redis 6.0     # no authentication
27017/tcp open   mongodb    MongoDB 4.4   # no authentication

Cloud Environments — Public S3 Buckets

# Check bucket policy (AWS CLI — your own bucket)
aws s3api get-bucket-acl --bucket my-bucket
aws s3api get-bucket-policy --bucket my-bucket

# List accidentally public bucket
aws s3 ls s3://my-bucket --no-sign-request

Hardening Checklist

  • Remove unused frameworks, modules, and dependencies.
  • Segment environments: dev, staging, prod — separate configurations.
  • Disable unneeded features (XML external entities, server-side includes).
  • Apply HTTP security headers on all responses.
  • Review configuration with tools: lynis, CIS Benchmarks, AWS Security Hub.
  • Automate infrastructure as code — avoids divergent manual configuration.
  • Regularly scan for exposed ports and services.