█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/OWASP A05: Security Misconfiguration
40 minIntermediate

OWASP A05: Security Misconfiguration

After this lesson, you will be able to: Recognize, find, and fix Security Misconfiguration (OWASP A05): insecure defaults, exposed services, and over-permissive settings.

Security Misconfiguration is OWASP A05: the system is built from secure parts but configured insecurely. Default credentials, verbose error pages, open cloud storage, unnecessary features enabled, and missing security headers all fall here. It is the most common category to introduce by accident.

Prerequisites:Insecure Design

What it is

Misconfiguration is a security-relevant setting left wrong: default or weak admin credentials still active, directory listing enabled, detailed stack traces shown to users, cloud storage buckets set to public, unused ports/services/features enabled, missing security headers (HSTS, CSP, X-Content-Type-Options), or out-of-the-box sample apps left in production. The software is fine; the deployment is not.

💡 Real-world example

Publicly exposed cloud storage is the recurring headline: countless breaches (millions of records each) trace to Amazon S3 buckets left readable by 'All Users' through a single misconfigured permission, exposing customer data, backups, and credentials. Separately, the Mirai botnet (2016) conscripted hundreds of thousands of IoT devices simply by logging in with factory-default usernames and passwords that operators never changed.

How to find it

Misconfiguration is found by scanning and config review.

  1. 1

    Run a vulnerability scanner / config checker (Nikto, OWASP ZAP, cloud config tools) against the target.

  2. 2

    Check for default credentials on every admin panel, database, and device.

  3. 3

    Look at error responses: do stack traces, framework versions, or paths leak?

  4. 4

    Review cloud storage and IAM: any public buckets, over-broad policies, or open security groups?

  5. 5

    Check security headers with a tool like securityheaders.com; missing HSTS/CSP is a finding.

  6. 6

    Look for sample/admin/debug endpoints left enabled in production.

How to fix it

Harden by default and automate the checks.

python
# FIX CHECKLIST
# - Change/disable all default credentials; no shared admin logins.
# - Disable directory listing, debug mode, and verbose errors in prod.
# - Return generic error pages; log details server-side only.
# - Lock down cloud storage: deny public access by default; least-privilege IAM.
# - Remove unused features, ports, services, sample apps.
# - Set security headers (example, Express + helmet):
import helmet from 'helmet';
app.use(helmet()); // HSTS, CSP defaults, X-Content-Type-Options, etc.
# - Automate it: a hardening baseline + config scanning in CI so a
# misconfiguration fails the build instead of reaching production.
Quick Check

An app leaks full stack traces (with framework versions and file paths) on errors. Why is that a security problem?

Pick the best answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←OWASP A04: Insecure Design
Back to Application Security
OWASP A06: Vulnerable and Outdated Components→