Exploit Notes

Web Server Security Misconfiguration

Last modified: 2023-10-12

Web

If web servers may be configured improperly, we have to reconfigure them properly. This page gives you checklists for likely misconfiguration.

Checklist

  • The admin page allows non-admin users to access.
  • Directory listing is enabled.
  • Test environment is public.
  • Default username and password.
  • Admin’s password is easy to guess e.g. "admin", "password123", etc.
  • The software is out of date or vulnerable version.
  • Attacker-friendly error messages are displayed e.g. it reveals the software version.
  • A cloud service provider (CSP) has default sharing permissions.
  • Unsecure http protocol is used rather than https.

Check CSP (Content-Security-Policy)

We can check if the CSP is vulnerable or not using online tools as below.


Security Headers

References