Security Misconfiguration

Security misconfiguration is one of the most common and easily exploitable vulnerability classes. It occurs when security settings are not defined, implemented, or maintained correctly. Unlike code-level bugs, misconfiguration issues affect the infrastructure, platform, and deployment of an application.

---

What is Security Misconfiguration?

Security misconfiguration covers a broad range of issues:

• Default credentials left in place
• Unnecessary features, services, or ports enabled
• Error handling that reveals stack traces or internal details
• Missing or misconfigured security headers
• Unpatched software
• Overly permissive cloud storage permissions
• Verbose logging in production

---

Common Misconfiguration Categories

1. Default Credentials

Many platforms, databases, and admin panels ship with default usernames and passwords:

Platform	Default Credentials
Apache Tomcat Manager	admin/admin or tomcat/tomcat
phpMyAdmin	root/(blank)
Jenkins	admin/(auto-generated but often unchanged)
MongoDB	No authentication by default
Elasticsearch	No authentication by default (pre-8.x)
Default routers	admin/admin or admin/password

Action: Change all default credentials before deployment. Better yet, disable default accounts entirely.

2. Debug Mode in Production

Debug mode provides detailed error messages that help attackers understand the application:

# Django — NEVER set this in production
DEBUG = True  # Exposes settings, database queries, source code paths

// Express.js — verbose error details in production
app.use((err, req, res, next) => {
  // INSECURE: sending stack trace to the client
  res.status(500).json({ error: err.message, stack: err.stack });
});

// SECURE: generic error message
app.use((err, req, res, next) => {
  console.error(err);  // Log the details server-side
  res.status(500).json({ error: 'Internal server error' });
});

3. Directory Listing

When enabled, the web server displays the contents of directories without an index file:

Index of /backup/
  ├── database-dump-2024.sql
  ├── config.yml
  └── .env

This exposes sensitive files to anyone who can guess the URL.

Prevention (Nginx):

autoindex off;

Prevention (Apache):

Options -Indexes

4. Missing Security Headers

HTTP security headers instruct the browser to enable specific protections:

Header	Purpose	Recommended Value
Content-Security-Policy	Prevents XSS and data injection	default-src 'self' (customise as needed)
X-Content-Type-Options	Prevents MIME-type sniffing	nosniff
X-Frame-Options	Prevents clickjacking	DENY or SAMEORIGIN
Strict-Transport-Security	Enforces HTTPS	max-age=31536000; includeSubDomains
Referrer-Policy	Controls referrer information	strict-origin-when-cross-origin
Permissions-Policy	Restricts browser features	camera=(), microphone=(), geolocation=()
X-XSS-Protection	Legacy XSS filter (modern browsers ignore it)	0 (disable — CSP is the replacement)

// Express.js — using helmet to set security headers
import helmet from 'helmet';
app.use(helmet());

5. CORS Misconfiguration

Cross-Origin Resource Sharing (CORS) controls which origins can access your API. Misconfigured CORS can expose your API to any website:

// INSECURE — allows any origin
app.use(cors({ origin: '*' }));

// INSECURE — reflects the requesting origin (effectively allows any origin with credentials)
app.use(cors({ origin: req.headers.origin, credentials: true }));

// SECURE — allowlist specific origins
app.use(cors({
  origin: ['https://myapp.com', 'https://admin.myapp.com'],
  credentials: true
}));