Security Misconfiguration

Security misconfiguration refers to a broad category of vulnerabilities caused by insecure or incomplete configuration of applications, frameworks, servers, databases, and cloud services. This is one of the most prevalent vulnerability categories because it can occur at any level of the application stack — from network services to application frameworks to cloud IAM policies.

Common examples include: default credentials on admin panels, unnecessary services or features enabled, verbose error messages that leak stack traces, missing security headers (CSP, HSTS, X-Frame-Options), directory listing enabled on web servers, cloud storage buckets with public access, and outdated software with known vulnerabilities.

Security misconfiguration is ranked #5 in the OWASP Top 10 and is particularly insidious because many misconfigurations don't produce visible errors — they silently weaken the application's security posture until exploited.

How APVISO tests for this: APVISO's recon agent systematically checks for common misconfigurations including exposed admin panels, default credentials, missing security headers, verbose error pages, directory listings, and accessible configuration files. The scanner agent then tests any discovered misconfigurations for exploitability.