A05: Security Misconfiguration
Simulating how detailed error pages can reveal sensitive technical information.
Interactive Simulation: Verbose Errors
Trigger a simulated server error to see how a misconfigured server responds in "development" vs "production" mode.
How to Simulate
- With the defense disabled (dev mode), click 'Trigger Server Error'.
- Observe the verbose error message, which reveals internal details about the application stack.
- Enable 'Production Mode'.
- Trigger the error again and observe that a generic, uninformative message is shown instead.
Explanation
Security misconfiguration can happen at any level of the application stack. This includes unpatched flaws, default accounts, and overly permissive settings. A very common and dangerous misconfiguration is leaving verbose error reporting enabled in a production environment.
This simulation shows how a detailed error message can leak the web framework, server version, database type, and even internal file paths. An attacker uses this information to craft targeted attacks against known vulnerabilities in those specific software versions.
Toggle Defense
In production, servers should be configured to show generic, uninformative error pages to the user, while logging the detailed error internally for developers.