Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › What does the SECURITY MISCONFIGURATION category…
What does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?
AOnly firewall rules
Bdefault creds, verbose errors, unpatched
COnly encryption key rotation
DOnly user training programs
Answer & Solution
Correct answer: B. default creds, verbose errors, unpatched
1. SECURITY MISCONFIGURATION: any insecure default, missing hardening, or unnecessary feature enabled.
2. COMMON examples:
• Cloud storage buckets (S3, Azure Blob) set to PUBLIC instead of private
• Default admin/admin credentials never changed
• Verbose stack traces in production responses
• Unnecessary HTTP methods (PUT/DELETE on read-only endpoints)
• Outdated software with known CVEs
3. MITIGATIONS: HARDENING guides, CIS Benchmarks, infrastructure-as-code with secure baselines, automated config scanning (CSPM tools).
4. The Capital One breach (2019) was largely a security misconfiguration of WAF rules.
_Source: OWASP Top 10 2021 — A05: Security Misconfiguration._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseAn IDOR (Insecure Direct Object Reference) attack happens whenCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenThe OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses