A02:2025 – Security Misconfiguration
Security misconfiguration is when a system, application, or cloud service is set up incorrectly from a security perspective, creating vulnerabilities.
Click Here to access Security Misconfiguration ChallengeOne lab: a sample admin console was left in production with default credentials. Find and use them to access the console.
Security misconfiguration is significant because it creates avoidable vulnerabilities: default credentials, exposed debug or sample apps, verbose errors, and missing security headers let attackers gain access, gather information, or escalate. Many breaches start with unchanged default passwords or sample applications left in production.
Misconfigurations can lead to unauthorized access, data exposure, privilege escalation, or full system compromise. Attackers exploit default credentials, exposed debug pages, verbose errors, or missing security headers to gather information and escalate attacks.
Establish a repeatable hardening process; remove or disable unnecessary features and default accounts; use a minimal platform and keep components updated; configure security headers and error handling so that stack traces and sensitive details are not sent to users; restrict cloud and file permissions to the minimum required; and regularly review and audit configuration (e.g. automated checks and security headers).