Deepshikha Paty
DI-ASM
What is it?
Security misconfiguration happens when the app or server is not set up securely, like:
- Leaving default settings or passwords
- Showing detailed error messages with sensitive data
- Allowing public access to private files (like logs or API docs)
- Poorly set
CORS(Cross-Origin Resource Sharing) policies
Important
CORS stands for Cross-Origin Resource Sharing.
Itβs a security feature built into web browsers that controls which websites (origins) are allowed to access resources (like APIs) on a server.
Example 1: Default Admin Login
Example
-
A web app uses a popular admin panel like phpMyAdmin or WordPress, and the admin page is available at:
https://example.com/admin -
If the developer forgets to change the default username and password, an attacker can try:
Username: admin Password: admin
β¦and it works! π¬
Now the attacker has full control of the system.
Other Common Examples:
Example
-
β Directory listing enabled
- Visiting
https://example.com/uploads/shows a list of files.
- Visiting
-
π Debug mode turned on
- Shows internal errors, file paths, and sometimes passwords.
-
π No HTTPS (SSL)
- Sends sensitive data (like passwords) in plain text.
-
π οΈ Outdated software
- Using an old version of a framework with known vulnerabilities.
π― Why is it risky?
- Hackers can learn how your system works
- Can guess or brute force other endpoints
- Bypass security mechanisms
- Exploit flaws using the details shown in error messages
β How to prevent this?
- Hide detailed error messages β show only generic ones to users
- Donβt expose API docs, logs, or debugging tools to the public
- Disable default passwords and admin panels for normal users
- Regularly use security scanners or audits to find misconfigurations
- Turn off debug mode in production