6.Security Misconfiguration (OWASP TOP 10)

 Security Misconfiguration

* Missing appropriate security hardening across any part of the stack , or improperly configured permissions on cloud services.

*  Unnecessary features are enabled or installed (e.g. unnecessary ports , services , pages ,account ,or privileges ).

* Default accounts and their passwords still enabled and unchanged.

* Error handling reveals stack traces or other overly in informative error massages to users .

* For upgraded system , latest security features are disabled or not configured security .

Example scenario :

* The application server comes with sample application that are not renamed form the production server .these sample   application have known security flows attackers use to compromise the server . if one of these application is the admin console and default accounts weren't changed the attacker logs in with default passwords and takes over .