Security misconfiguration is the most commonly seen issue in web applications. It occurs when security settings are defined, implemented, or maintained incorrectly. This includes default credentials, open cloud storage, verbose error messages, and unnecessary services.
Using unchanged default usernames and passwords
Examples: admin/admin, root/root, guest/guest
Unused ports, services, pages, or accounts enabled
Examples: Debug endpoints, sample apps, admin panels
Error messages revealing stack traces and internal info
Examples: SQL queries, file paths, server versions
Security headers not configured properly
Examples: CSP, HSTS, X-Frame-Options missing
Publicly accessible S3 buckets and blob storage
Examples: Open S3, Azure Blob, GCS buckets
Unpatched systems with known vulnerabilities
Examples: Old Apache, PHP, OpenSSL versions
Misconfigured WAF exposed 100M records
Exposed Bing search backend via open Elasticsearch
Misconfigured server exposed 125GB source code
Unprotected S3 bucket leaked 540M user records
Built by an OWASP Member • Part of the OWASP Web Security Lab Series