Security misconfiguration related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A6:2017 Security Misconfiguration. Some of the vulnerabilities listed under this category are as follows:
- Security hardening not done on the application stack.
- Unnecessary or unwanted features are enabled or installed (for example, ports, services, admin pages, accounts, or privileges). The following image shows the default Tomcat page accessible to all users:
- Application default accounts are active with default passwords.
- Improper error handling reveals stack traces and internal application information as shown in the following image:
- Application servers, application frameworks (for example, Struts, Spring, ASP.NET), libraries, databases, and so on, aren't configured securely.
- The application allows directory listing as shown in the following image:
Nikto is an excellent tool that scans for security misconfiguration issues, as shown in the following image:
