What is A05 Security Misconfiguration?
The app is built on insecure defaults or leftovers — default admin passwords, directory listing on, debug/stack traces exposed, unused features enabled — none of which is a code bug, just a setup left wide open.
Concrete scenario: a team ships a server with the framework's debug mode still on. A visitor triggers an error and the stack trace reveals the database driver, internal file paths, and library versions — a free reconnaissance map for an attacker, who then targets a known CVE in one of those exact versions. Nobody "wrote vulnerable code"; the configuration was the hole. This is consistently one of the most common Top 10 categories precisely because secure defaults are easy to skip.
| Issue | Example |
|---|---|
| Missing hardening | Default TLS config allows weak ciphers |
| Unnecessary features enabled | Directory listing, debug endpoints, sample apps |
| Default accounts still active | admin/admin, sa/password |
| Detailed error messages exposed | Stack traces shown to users reveal internals |
| Countermeasure | Why |
|---|---|
| Repeatable hardening process | Automated = consistent = no forgotten steps |
| Minimal platform | Remove unused features, frameworks, ports |
| Review configurations regularly | Drift happens — catch it early |
| Segmented architecture | Compromise of one component doesn't spread |
See: OWASP Security Misconfiguration
Go deeper:
OWASP Top 10 — A05: Security Misconfiguration — canonical category page.