Security Misconfiguration

Check List

Methodology

Black Box

Debug Endpoint Exposed in Production API

Access the API without authentication

Attempt to discover debug or test endpoints

GET /api/debug HTTP/1.1
Host: target.com

If response returns environment variables, stack trace, or configuration data, debug endpoint is exposed

Test additional common debug paths

GET /api/test HTTP/1.1
Host: target.com

GET /api/v1/status HTTP/1.1
Host: target.com

If internal configuration or sensitive metadata is returned, production misconfiguration is confirmed

If debug functionality is accessible publicly, Security Misconfiguration vulnerability exists

Verbose Error Messages in API

Send malformed JSON to an endpoint

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"admin","password":}

Observe server response, If full stack trace, file path, framework version, or SQL query is disclosed

Exception in file /var/www/app/controllers/AuthController.js line 47

Then error handling is misconfigured

If internal implementation details are exposed, Security Misconfiguration is confirmed

Directory Listing Enabled on API Path

Attempt directory access

GET /api/ HTTP/1.1
Host: target.com

If response shows directory index listing endpoints or files, directory listing is enabled, Test additional paths

GET /api/v1/ HTTP/1.1
Host: target.com

If internal API structure is revealed, configuration hardening is missing

If sensitive routes are exposed via directory listing, misconfiguration is confirmed

Default Credentials on API Admin Panel

Identify administrative API interface

Attempt authentication with common default credentials

POST /api/admin/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"admin","password":"admin"}

If login succeeds using default or weak credentials, default configuration remains active

If administrative access is granted without credential hardening, Security Misconfiguration vulnerability is confirmed

CORS Misconfiguration Allowing Arbitrary Origin

Send preflight request

OPTIONS /api/user/profile HTTP/1.1
Host: target.com
Origin: https://attacker.com
Access-Control-Request-Method: GET

Observe response headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

If API allows wildcard origin with credentials enabled, cross-origin data access is possible

If sensitive API responses are accessible cross-origin due to permissive CORS policy, Security Misconfiguration is confirmed

White Box

Cheat Sheet

PreviousMass Assignment NextInjection Attack

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagDebug Endpoint Exposed in Production API

hashtagVerbose Error Messages in API

hashtagDirectory Listing Enabled on API Path

hashtagDefault Credentials on API Admin Panel

hashtagCORS Misconfiguration Allowing Arbitrary Origin

hashtagWhite Box

hashtagCheat Sheet