Web Server Security Misconfiguration
If web servers may be configured improperly, we have to reconfigure them properly. This page gives you checklists for likely misconfiguration.
- [A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
Checklist
- The admin page allows non-admin users to access.
- Directory listing is enabled.
- Test environment is public.
- Default username and password.
- Admin’s password is easy to guess e.g. "admin", "password123", etc.
- The software is out of date or vulnerable version.
- Attacker-friendly error messages are displayed e.g. it reveals the software version.
- A cloud service provider (CSP) has default sharing permissions.
- Unsecure
http
protocol is used rather thanhttps
.
Check CSP (Content-Security-Policy)
We can check if the CSP is vulnerable or not using online tools as below.