OWASP Top Ten 2004 Category A10 - Insecure Configuration Management

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004.


Active Debug Code

The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

ASP.NET Misconfiguration: Creating Debug Binary

Debugging messages help attackers learn about the system and plan a form of attack.

ASP.NET Misconfiguration: Missing Custom Error Page

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

ASP.NET Misconfiguration: Not Using Input Validation Framework

The ASP.NET application does not use an input validation framework.

ASP.NET Misconfiguration: Password in Configuration File

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attac...

ASP.NET Misconfiguration: Use of Identity Impersonation

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

Exposure of Access Control List Files to an Unauthorized Control Sphere

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

Exposure of Backup File to an Unauthorized Control Sphere

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

Exposure of Core Dump File to an Unauthorized Control Sphere

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

Exposure of Information Through Directory Listing

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

Exposure of Sensitive Information Through Environmental Variables

Environmental variables may contain sensitive information about a remote server.

Exposure of Version-Control Repository to an Unauthorized Control Sphere

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized...

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate.

Inclusion of Sensitive Information in an Include File

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Inclusion of Sensitive Information in Test Code

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know a...

Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Insertion of Sensitive Information Into Debugging Code

The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

J2EE Misconfiguration: Data Transmission Without Encryption

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are we...

J2EE Misconfiguration: Entity Bean Declared Remote

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to re...

J2EE Misconfiguration: Insufficient Session-ID Length

The J2EE application is configured to use an insufficient session ID length.

J2EE Misconfiguration: Missing Custom Error Page

The default error page of a web application should not display sensitive information about the software system.

J2EE Misconfiguration: Plaintext Password in Configuration File

The J2EE application stores a plaintext password in a configuration file.

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.

.NET Misconfiguration: Use of Impersonation

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms ...

Storage of File with Sensitive Data Under Web Root

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.


Permission Issues

Weaknesses in this category are related to improper assignment or handling of permissions.


Deprecated or Obsolete

Weaknesses in OWASP Top Ten (2004)

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...

See Also

  1. A10 Insecure Configuration Management


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.