A5

• link : https://portswigger.net/support/using-burp-to-test-for-securitymisconfiguration-
issues
• default credentials are not changed
• admin console page is exposed to public
• directory listing is not disabled
• code file is exposed to public
• stack trace error revealing sesitive code
• sample or default application not removed from prod server

Lab

  1. Dashboards → new Scan → change the craw and audit to only CRAWL
    attachments/Pasted image 20250314123738.png

  2. after selecting CRAWL ,copy the url of mutilidae and paste → then ok
    attachments/Pasted image 20250314123755.png

  3. keep it lightweight
    attachments/Pasted image 20250314123810.png

  4. go TARGET → then http.. → mutilidae → includes
    attachments/Pasted image 20250314123824.png

attachments/Pasted image 20250314123838.png

  1. edit the url of include http://192.168.31.128/mutillidae/includes/ and open the config.inc file
    attachments/Pasted image 20250314123859.png

  2. download it ,this file was only allowed for the admin to view, but now we can view too.
    attachments/Pasted image 20250314123915.png