Configurations play a key role in the security of an application. Often, systems and applications will run with a default configuration, pulled from the vendor's manual or from the Internet. This makes guessing passwords, bypassing login pages, and finding well-known setup vulnerabilities a breeze. Another form of insecure configuration management is where a configuration is just plain wrong, either from the start or after changes were made that compromise the security of the application or system. This faulty configuration can then end up getting used everywhere in the company.

Common attacks associated with configuration management vulnerabilities are as follows:

• Server software flaws or misconfigurations that permit directory listing and directory traversal attacks
• Unnecessary default, backup, or sample files including scripts, applications, configuration files, and web pages
• Improper file and directory permissions
• Unnecessary services enabled, including content management and remote administration
• Default accounts with their default passwords
• Administrative or debugging functions that are enabled or accessible
• Overly informative error messages (more details in the error handling section)
• Misconfigured SSL certificates and encryption settings
• Use of self-signed certificates to achieve authentication and man-in-the-middle protection
• Use of default certificates
• Improper authentication with external systems

The best defense against insecure configuration vulnerabilities is rigorous management of your configurations. You should adhere to a stringent configuration management process, defining procedures around creation, change, and verification of configurations. It should detail how applications are to be configured before deployment, how to address configuration changes, and how to periodically verify that configurations are up-to-date and still relevant security-wise.