Empty input
Last updated 2017-08-10

Server Misconfiguration

Learn more about server misconfiguration vulnerability


The fifth vulnerability category on the list is called Security Misconfiguration. If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless if the misconfiguration happens in the web server, database or, for that matter, custom code.


As it is such a broad category it is very common vulnerability. A web application is built upon multiple layers, and making a configuration mistake in one of them is quite likely.

Potential impact

The impact varies and depends on the specific kind of misconfiguration. At worst, it could lead to a full takeover, which means stolen sensitive data and expensive recover.


In many cases this is one of the easiest vulnerabilities to exploit. For example, if a system admin forgets to delete a default account with admin privileges, all an attacker has to do is to simply google the default credentials to login.

However, there can of course be more difficult alternatives of this vulnerability type that require more knowledge. All misconfigurations do not result in a possible full takeover, but may be used as part of a bigger attack.

Learn more on https://blog.detectify.com/2016/06/17/owasp-top-10-security-misconfiguration-5/