Application Misconfiguration attacks take advantage of configuration weaknesses found in web applications. In order to ease installation and configuration tasks, many software packages come preconfigured with vulnerabilities right out of the box. These Application Misconfigurations are options and/or features that can be easily exploited by attackers.
For example, default installations may include well-known usernames and passwords, hard-coded backdoor accounts, special access mechanisms, and incorrect permissions set for files accessible through web servers. Default samples may also be accessible in production environments. Application-based configuration files that are not properly locked down may reveal clear text connection strings to the database, and default settings in configuration files may not have been set with security in mind.
All of these misconfigurations make an application vulnerable to hackers seeking to access unauthorized sensitive information. Application Misconfigurations allow hackersto bypass authentication methods and gain access to sensitive information, perhaps even with elevatedprivileges.