Security misconfiguration
We may take a lot of efforts in securing the application. However applications cannot work in isolation. Running an application, requires a lot of supporting components such as web server, database server, and more. If the application isn't securely configured with all these supporting components, many vulnerabilities will be opened for potential attackers. So, the application should not only be developed securely, but should also be deployed and configured securely.
OWASP mapping
Security misconfiguration related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A6:2017 Security Misconfiguration. Some of the vulnerabilities listed under this category are as follows:
- Security hardening not done on the application stack.
- Unnecessary or unwanted features are enabled or installed (for example, ports, services, admin pages, accounts, or privileges). The following image shows the default Tomcat page accessible to all users:
- Application default accounts...