Security Misconfiguration, listed as A06 in the OWASP Top 10 for 2017, refers to improper setup of security controls in applications, servers, databases, or platforms. It includes using default credentials, overly verbose error messages, unnecessary features, or outdated software. These issues often arise from insecure default settings or a lack of hardening and regular maintenance. Attackers can exploit misconfigurations to gain unauthorized access or leak sensitive information. To prevent this, developers and administrators should disable unused services, enforce secure settings, keep systems updated, and automate configuration checks where possible.
