# Security Misconfiguration (A05:2021)

The application might be vulnerable if it is missing appropriate security hardening or has improperly configured permissions on cloud services.

## Overview

Moving up from #6, 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it's not surprising to see this category move up.

## How Attackers Exploit This

### Default credentials

Administrative interfaces or services are left with default usernames and passwords that are publicly known.

**Detection signal:** Login attempts using common default credential pairs

### Verbose error messages

Detailed error messages expose internal paths, stack traces, or database schemas to attackers.

**Detection signal:** Error responses containing internal file paths, SQL queries, or stack traces

### Unnecessary services

Debug endpoints, sample applications, or development features are left enabled in production.

**Detection signal:** Access to debug endpoints, phpinfo pages, or development tooling

## How to Prevent

- Implement a repeatable hardening process for fast, secure deployment
- Remove or do not install unused features and frameworks
- Review and update configurations appropriate to all security notes
- Use segmented application architecture for effective separation
- Send security directives to clients (Security Headers)
- Automate verification of configurations in all environments

## CWEs with Detection Rules (6)

- **CWE-942**: Permissive Cross-domain Policy with Untrusted Domains (9 rules) [python, go]
- **CWE-611**: Improper Restriction of XML External Entity Reference (3 rules) [go, javascript, typescript, python]
- **CWE-547**: Use of Hard-coded, Security-relevant Constants (2 rules) [javascript, typescript, python]
- **CWE-614**: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (2 rules) [python]
- **CWE-16**: Configuration (1 rules) [python]
- **CWE-526**: Cleartext Storage of Sensitive Information in an Environment Variable (1 rules) [go]

## Other Mapped CWEs (14)

- CWE-2: CWE-2
- CWE-11: CWE-11
- CWE-13: CWE-13
- CWE-15: CWE-15
- CWE-260: CWE-260
- CWE-315: CWE-315
- CWE-520: CWE-520
- CWE-537: CWE-537
- CWE-541: CWE-541
- CWE-756: CWE-756
- CWE-776: CWE-776
- CWE-1004: CWE-1004
- CWE-1032: CWE-1032
- CWE-1174: CWE-1174

## Quick Reference

- Total CWEs: 20
- With Shoulder rules: 6
- Detection rules: 18