Home Web App Security Security Misconfiguration in OWASP Top 10:2025

Security Misconfiguration in OWASP Top 10:2025

Web App Security By · May 28, 2026 · 0 Comment
Security-Misconfiguration-in-OWASP-Top-10-2025

One of the major vulnerabilities listed at number 2 is Security Misconfiguration (A02) in OWASP Top 10:2025. This vulnerability occurs when an application, server, framework, cloud service, or database is configured improperly, leaving security gaps that attackers can exploit.

Security misconfiguration is one of the most common causes of application compromise because many organizations deploy applications with default settings, unnecessary services, weak configurations, or outdated components. Even a highly secure application can become vulnerable if the server or framework configuration is not managed properly.

What is Security Misconfiguration?

Security Misconfiguration happens when security settings are not implemented correctly at the application or infrastructure level. These weaknesses expose systems to unauthorized access, sensitive data leakage, remote code execution, and other cyberattacks.

Misconfigurations may exist in:

  • Web servers
  • Application servers
  • Databases
  • Cloud environments
  • APIs
  • Containers
  • Frameworks and libraries

Attackers usually scan applications for common misconfigurations because they are easy to identify and often simple to exploit.

Common Causes of Security Misconfiguration

Below are the most common reasons why this vulnerability occurs in applications and servers.

1. Missing Security Hardening

Applications and servers should be hardened before deployment. If secure configurations are not applied properly, attackers can exploit weak settings and gain access to sensitive resources.

2. Unnecessary Services and Sample Files Enabled

Many servers contain:

  • Unnecessary open ports
  • Default services
  • Testing pages
  • Demo applications
  • Sample files

These components may contain severe vulnerabilities that attackers can exploit.

3. Missing Security Headers

If secure HTTP headers are not configured correctly on the web server, applications become vulnerable to attacks such as:

  • Clickjacking
  • Cross-Site Scripting (XSS)
  • MIME-sniffing attacks
  • Session hijacking

Examples of important security headers include:

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security

4. Default Accounts and Passwords

Default usernames and passwords are one of the biggest security risks. Attackers often try publicly known credentials like admin/admin to compromise systems.

5. Outdated Frameworks and Components

Using old or unpatched software frameworks, plugins, or libraries can expose applications to known vulnerabilities.

6. Improper Security Settings

Incorrectly configured permissions, weak access controls, insecure cloud storage, and disabled security mechanisms can all lead to exploitation.

7. Improper Error Handling

Applications sometimes reveal detailed error messages containing:

  • Stack traces
  • Framework versions
  • Database details
  • Server paths
  • Configuration information

This information helps attackers identify vulnerabilities quickly.

Real-World Examples of Security Misconfiguration

Example 1: Detailed Error Messages

An application server displays complete stack traces and framework version information whenever an error occurs. If the framework version is vulnerable, attackers can use publicly available exploits to compromise the application.

Example 2: Vulnerable Sample Applications

While deploying a production application, developers accidentally leave sample applications or testing pages enabled on the server. These applications may contain critical vulnerabilities that attackers can exploit to access the main authentication system.

Example 3: Directory Listing Enabled

If directory listing is not disabled, attackers may discover:

  • Backup files
  • Source code
  • Configuration files
  • Log files

Attackers can analyze or decompile these files and use the information for further attacks.

Commonly Mapped CWEs

Security Misconfiguration is associated with multiple Common Weakness Enumerations (CWEs), including:

  • CWE-5 – J2EE Misconfiguration: Data Transmission Without Encryption
  • CWE-11 – ASP.NET Misconfiguration: Creating Debug Binary
  • CWE-13 – ASP.NET Misconfiguration: Password in Configuration File
  • CWE-15 – External Control of System or Configuration Setting
  • CWE-16 – Configuration
  • CWE-260 – Password in Configuration File
  • CWE-315 – Cleartext Storage of Sensitive Information in a Cookie
  • CWE-489 – Active Debug Code
  • CWE-526 – Exposure of Sensitive Information Through Environmental Variables
  • CWE-547 – Use of Hard-coded Security-relevant Constants
  • CWE-611 – Improper Restriction of XML External Entity Reference
  • CWE-614 – Sensitive Cookie Without Secure Attribute
  • CWE-776 – Improper Restriction of Recursive Entity References in DTDs
  • CWE-942 – Permissive Cross-domain Policy with Untrusted Domains
  • CWE-1004 – Sensitive Cookie Without HttpOnly Flag
  • CWE-1174 – ASP.NET Misconfiguration: Improper Model Validation

How to Prevent Security Misconfiguration

1. Perform Proper Security Hardening

Servers, applications, databases, and cloud environments should be securely hardened before deployment. Staging and production environments should have the same secure configuration to avoid unexpected vulnerabilities.

2. Remove Unnecessary Components

Delete or disable:

  • Sample applications
  • Testing pages
  • Unused services
  • Unnecessary ports
  • Default files

Reducing the attack surface significantly improves security.

3. Configure Security Headers Properly

Web servers should implement strong security headers with secure values to protect against common web attacks.

4. Implement Secure Error Handling

Applications should display generic error messages to users while detailed logs should only be accessible to administrators.

5. Remove or Change Default Credentials

All default accounts, passwords, and unnecessary administrative accounts should be removed or updated with strong credentials.

6. Keep Software Updated

Always install updated and secure versions of:

  • Frameworks
  • Libraries
  • Plugins
  • Operating systems
  • Web servers

Regular patch management helps prevent exploitation of known vulnerabilities.

Security Misconfiguration remains one of the most dangerous vulnerabilities in the OWASP Top 10:2025 because even small configuration mistakes can expose an entire application to attackers. Weak server settings, outdated software, default credentials, and exposed debug information can all become entry points for cybercriminals.

Organizations should follow secure configuration practices, regularly audit their environments, apply security hardening, and continuously update software components to minimize the risk of exploitation. Proper configuration management plays a critical role in maintaining a secure web application environment.

Related Posts

Broken Access Control in OWASP Top 10:2025

Web App Security By · May 27, 2026 · 0 Comment
Broken-Access-Control-in-OWASP-Top-10-2025
Broken Access Control is ranked as the first category in the OWASP Top 10:2025 because it remains one of the most dangerous and commonly exploited web application vulnerabilities. It occurs when users gain access to resources, pages, or data that... Read more

Secure Coding Practices for Web Application Security

Web App Security By · May 26, 2026 · 0 Comment
Secure-Coding-Practices-for-Web-Application-Security
Secure coding practices are a set of development techniques and security measures followed by software developers to minimize vulnerabilities during the software development lifecycle (SDLC). Security should be incorporated from the initial design and development phases rather than being added... Read more

How Attackers Exploit Excessive Agency in LLM APIs

Web App Security By · May 13, 2026 · 0 Comment
How-Attacker-Exploit-Excessive-Agency-in-LLM-APIs-hm
Large Language Model (LLM) applications are becoming increasingly popular in modern web applications. However, insecure integration of APIs with LLMs can introduce critical vulnerabilities. One such issue is “excessive agency,” where an LLM is granted dangerous permissions without proper restrictions.... Read more

How to Exploit an Unused API Endpoint: A Step-by-Step Guide

Web App Security By · April 18, 2026 · 0 Comment
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-hm
API security testing has become a critical part of modern web application assessments. Many organizations expose APIs without fully securing all endpoints, which can lead to serious vulnerabilities. In this hands-on guide, we’ll walk through how to identify and exploit... Read more

Complete VAPT Testing Guide for Web Applications

Web App Security By · March 31, 2026 · 1 Comment
Complete-VAPT-Testing-Guide-for-Web-Applications
Vulnerability Assessment and Penetration Testing (VAPT) is a critical practice for securing modern web applications. With cyber threats constantly evolving, organizations must proactively identify and fix security weaknesses before attackers exploit them. A structured VAPT process ensures thorough coverage, combining... Read more

Exploiting SQL Injection in DVWA

Web App Security By · January 31, 2026 · 0 Comment
Exploiting-SQL-Injection-in-DVWA-hm
Introduction to SQL Injection in DVWA SQL Injection is one of the most critical web application vulnerabilities, allowing attackers to manipulate database queries and gain unauthorized access to sensitive data. In this tutorial, we will demonstrate how to identify and... Read more

Top Learning Vulnerable Web Applications to Test Web Security Skills

Web App Security By · December 20, 2025 · 5 Comments
Top-Learning-Vulnerable-Web-Applications-to-Test-Web-Security-Skills-hm
Learning web application security is a critical step for aspiring ethical hackers, penetration testers, and developers who want to build secure software. One of the safest and most effective ways to gain hands-on experience is by practicing on intentionally vulnerable... Read more

How to Install DVWA on Windows Using XAMPP

Web App Security By · June 11, 2025 · 1 Comment
How-to-Install-DVWA-on-Windows-Using-XAMPP-home
If you’re interested in learning about web application vulnerabilities, Damn Vulnerable Web Application (DVWA) is a great tool. It’s a PHP/MySQL web app designed for security professionals and enthusiasts to practice penetration testing in a controlled environment. This guide will... Read more

Bypass HttpOnly Flag Using XSS and PHPInfo Page

Web App Security By · June 4, 2025 · 0 Comment
Bypass-HttpOnly-Flag-Using-XSS-and-PHPInfo-Page
Bypassing the HttpOnly Flag Using PHP Info Page via XSS In web security, the HttpOnly flag is a critical defense mechanism designed to prevent client-side scripts from accessing sensitive cookies such as session identifiers. However, in vulnerable PHP applications—like those... Read more

Top 10 Vulnerability Assessment Tools for Web Application Security

Web App Security By · May 30, 2025 · 1 Comment
Top-10-Vulnerability-Assessment-Tools-for-Web-Application-Security
In today’s digital age, securing web applications has become a critical priority for organizations worldwide. Cyber threats are constantly evolving, and attackers are always looking for vulnerabilities to exploit. That’s why conducting regular vulnerability assessments of web applications is essential... Read more