LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is A05 Security Misconfiguration?

The app is built on insecure defaults or leftovers — default admin passwords, directory listing on, debug/stack traces exposed, unused features enabled — none of which is a code bug, just a setup left wide open.

Concrete scenario: a team ships a server with the framework's debug mode still on. A visitor triggers an error and the stack trace reveals the database driver, internal file paths, and library versions — a free reconnaissance map for an attacker, who then targets a known CVE in one of those exact versions. Nobody "wrote vulnerable code"; the configuration was the hole. This is consistently one of the most common Top 10 categories precisely because secure defaults are easy to skip.

Issue Example
Missing hardening Default TLS config allows weak ciphers
Unnecessary features enabled Directory listing, debug endpoints, sample apps
Default accounts still active admin/admin, sa/password
Detailed error messages exposed Stack traces shown to users reveal internals
Countermeasure Why
Repeatable hardening process Automated = consistent = no forgotten steps
Minimal platform Remove unused features, frameworks, ports
Review configurations regularly Drift happens — catch it early
Segmented architecture Compromise of one component doesn't spread

See: OWASP Security Misconfiguration

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 14, 2026