Back to Home

Security Misconfiguration

A05:2021 - Default configs & verbose errors

What is Security Misconfiguration?

The application might be vulnerable if the application is missing appropriate security hardening across any part of the application stack, or has insecure default configurations.

Common Misconfigurations:

  • Default credentials (admin/admin)
  • Verbose error messages with stack traces
  • Unnecessary features enabled
  • Exposed .env files or .git directories
  • Missing security headers

Before WAF: Vulnerable

Without Cloudflare WAF, sensitive configuration data is exposed

Step 1: Access Exposed Configuration

# View exposed .env secrets
/api/misconfig?endpoint=env

# View verbose debug info with stack traces
/api/misconfig?endpoint=debug

# View insecure default config
/api/misconfig?endpoint=config

# View exposed git info
/api/misconfig?endpoint=git

Vulnerability: API exposes secrets, stack traces, and configuration data.

After WAF: Protected

With Cloudflare WAF Managed Rules, common misconfigurations are blocked

Enable Cloudflare Protection:

  1. Go to Cloudflare Dashboard → Security → WAF
  2. Enable "Cloudflare Managed Ruleset"
  3. Enable rules for .env, .git, and config file access
  4. Configure security headers at the edge

Result: Requests for sensitive files and paths are blocked with 403 Forbidden.

Cloudflare Protection

  • File Access Rules: Block .env, .git, and config files
  • Security Headers: Add HSTS, CSP, X-Frame-Options
  • Information Disclosure: Hide server/version details