alicesec
Back to Learning Center
highA05:2021CWE-16CWE-200CWE-209

Security Misconfiguration

Security misconfiguration is one of the most common vulnerabilities—and often the easiest to exploit. It occurs when systems are configured in ways that unintentionally expose them to attack: default credentials left unchanged, debug endpoints in production, excessive permissions, or missing security headers. Some of the largest data breaches weren't caused by complex exploits, but by simple misconfigurations.

What is Security Misconfiguration?

Security misconfiguration happens when security settings are missing, improperly configured, or left at insecure defaults. It can occur at any level:

  • Application servers and frameworks
  • Databases and storage
  • Web servers (Nginx, Apache)
  • Cloud services (AWS, GCP, Azure)
  • Containers and orchestration (Docker, Kubernetes)

Common Misconfigurations

Default Credentials

text
# Common default credentials still in use
admin:admin
admin:password
root:root
sa:sa
test:test
postgres:postgres
mysql:mysql

# Default API keys
API_KEY=test123
SECRET_KEY=changeme
JWT_SECRET=secret

Debug Mode in Production

javascript
// DANGEROUS: Debug enabled in production
// Django
DEBUG = True  // Exposes stack traces, SQL queries

// Express.js
app.use(errorHandler({ dumpExceptions: true, showStack: true }));

// Next.js .env.production
NODE_ENV=development  // Should be 'production'

// Exposes detailed error messages to attackers:
// - File paths
// - Database queries
// - Stack traces
// - Environment variables

Missing Security Headers

text
# Missing headers that should be present
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Exposed Admin Interfaces

text
# Commonly exposed endpoints
/admin
/wp-admin
/phpmyadmin
/adminer.php
/.env
/config.php
/server-status
/debug
/actuator
/graphql (introspection enabled)
/.git
/backup.sql

Cloud Storage Misconfigurations

json
// DANGEROUS: Public S3 bucket policy
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",  // Anyone can access!
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::company-data/*"
  }]
}

// Also dangerous: ListBucket enabled publicly
// Allows attackers to enumerate all files

Real-World Examples

Microsoft Power Apps (2021) - Misconfigured API permissions exposed 38 million records including COVID vaccination data and employee IDs.

Firebase Databases (ongoing) - Thousands of Firebase databases left open with no authentication rules, exposing user data to the public.

Prevention Strategies

1. Implement Security Headers

javascript
// Next.js - next.config.js
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Frame-Options', value: 'DENY' },
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
        { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'" },
      ],
    }];
  },
};

2. Disable Debug in Production

javascript
// Check environment and disable debug
if (process.env.NODE_ENV === 'production') {
  // Custom error handler - hide details
  app.use((err, req, res, next) => {
    console.error(err); // Log full error server-side
    res.status(500).json({ 
      error: 'Internal server error' // Generic message to client
    });
  });
} else {
  // Development only - show full errors
  app.use((err, req, res, next) => {
    res.status(500).json({ 
      error: err.message,
      stack: err.stack
    });
  });
}

3. Secure Cloud Storage

json
// SECURE: Private S3 bucket policy
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::company-data/*",
    "Condition": {
      "Bool": { "aws:SecureTransport": "false" }
    }
  }]
}

// Also: Enable S3 Block Public Access
// aws s3api put-public-access-block --bucket company-data \
//   --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true"

4. Automated Configuration Scanning

yaml
# GitHub Actions - Security scan in CI/CD
name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      # Scan for secrets
      - name: GitLeaks
        uses: gitleaks/gitleaks-action@v2
      
      # Scan Terraform/CloudFormation
      - name: Checkov
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: infrastructure/
      
      # Check security headers
      - name: Mozilla Observatory
        run: |
          npx observatory-cli ${{ secrets.STAGING_URL }}

5. Environment-Specific Configuration

javascript
// Use environment variables properly
const config = {
  development: {
    debug: true,
    logLevel: 'debug',
    database: 'mongodb://localhost/dev'
  },
  production: {
    debug: false,
    logLevel: 'error',
    database: process.env.DATABASE_URL // From secrets manager
  }
};

const env = process.env.NODE_ENV || 'development';
module.exports = config[env];

// Never commit production secrets to code!

Security Checklist

  • Change all default credentials before deployment
  • Disable debug mode and verbose errors in production
  • Implement all security headers (CSP, HSTS, etc.)
  • Remove or protect admin interfaces
  • Block public access to cloud storage by default
  • Disable unnecessary services and features
  • Automate configuration scanning in CI/CD
  • Use Infrastructure as Code with security reviews
  • Regularly audit and update configurations

Practice Challenges

View all

Debug Mode

Production server, but debug mode is still on.

Easy

Directory Listing

A web server that shows more than it should.

Easy

Default Creds

Admin panel with... admin:admin? Really?

Easy

CORS Wide Open

Access-Control-Allow-Origin: * on sensitive endpoints.

Easy

Robots.txt

A robots.txt that's a roadmap to hidden endpoints.

Easy
+1 more challenges

Related Articles

View all

CORS Misconfigurations: A Practical Exploitation Guide

Cross-Origin Resource Sharing (CORS) is one of the most misunderstood security mechanisms in web development. When configured incorrectly, it can expose your users' sensitive data to attackers. In this...

Zero Trust Security: The Complete Implementation Guide for 2025

The traditional "castle and moat" security model is dead. With remote work, cloud services, and sophisticated attackers, the network perimeter has dissolved. Zero Trust offers a new paradigm: never tru...