OWASP Top Ten 2004 Category A10 - Insecure Configuration Management

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Debugging messages help attackers learn about the system and plan a form of attack.

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

The ASP.NET application does not use an input validation framework.

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attac...

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

The product uses an environment variable to store unencrypted sensitive information.

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized...

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The product generates an error message that includes sensitive information about its environment, users, or associated data.

The product does not validate, or incorrectly validates, a certificate.

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know a...

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are we...

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to re...

The J2EE application is configured to use an insufficient session ID length.

The default error page of a web application should not display sensitive information about the product.

The J2EE application stores a plaintext password in a configuration file.

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms ...

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

Weaknesses in this category are related to improper assignment or handling of permissions.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...