Misconfigured Framework Defaults
See also: Misconfigured React, Misconfigured Angular, Misconfigured Vue.js, Misconfigured Express.js, Misconfigured Spring Boot
TLDR: Misconfigured framework defaults, highlighted in the OWASP Top Ten under “Security Misconfiguration,” leave applications vulnerable to injection attacks, data exposure, and privilege escalation. Issues such as using default settings, enabling unnecessary modules, and overlooking secure configurations compromise security. Customizing framework settings and adhering to best practices is essential to mitigate these risks.
https://owasp.org/www-project-top-ten/
One common issue with framework defaults is leaving default credentials unchanged. Many frameworks ship with default usernames and passwords, which attackers can exploit to gain unauthorized access. OWASP advises changing all default credentials immediately after installation and enforcing strong password policies.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Authentication_Cheat_Sheet.html
Another frequent vulnerability arises from retaining default configurations for error handling. Default error pages often disclose sensitive information, such as stack traces or database connection details. OWASP recommends customizing error pages to avoid exposing internal details while securely logging error events for debugging.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Error_Handling_Cheat_Sheet.html
Leaving unnecessary features or modules enabled increases the attack surface. For example, enabling debugging tools, admin panels, or sample applications in production environments exposes systems to abuse. OWASP emphasizes disabling all unused features and modules to reduce risks.
https://owasp.org/www-project-top-ten/
Improper default access controls in frameworks often allow unrestricted access to sensitive resources or endpoints. For instance, frameworks may leave APIs or admin interfaces open by default. OWASP advises reviewing and restricting access controls, implementing role-based access control (RBAC) as a minimum standard.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Access_Control_Cheat_Sheet.html
Default session management settings in frameworks are another common flaw. Using insecure default settings for session cookies, such as not enabling `HttpOnly` or `Secure` flags, makes sessions vulnerable to hijacking. OWASP recommends customizing session management settings to include secure attributes and reasonable timeouts.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html
Another risk is neglecting to update or patch framework dependencies. Using outdated versions of frameworks exposes applications to known vulnerabilities. OWASP emphasizes the importance of regularly updating frameworks and using dependency management tools to track and resolve security issues.
https://owasp.org/www-project-dependency-check/
Default CORS (Cross-Origin Resource Sharing) settings in frameworks can also pose risks. For example, some frameworks allow requests from all origins (`*`) by default, enabling unauthorized cross-origin interactions. OWASP advises configuring CORS settings explicitly to restrict requests to trusted origins.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Origin_Request_Sharing_Cheat_Sheet.html
Frameworks that do not enforce encryption for sensitive data by default are another concern. Allowing plaintext transmission of credentials or PII exposes data to interception. OWASP recommends enabling encryption for all sensitive data, using HTTPS and secure storage mechanisms.
https://owasp.org/www-project-top-ten/
Improper logging and monitoring defaults can leave applications blind to security incidents. Frameworks may not log critical events or store logs in insecure locations. OWASP advises configuring logging to include security-relevant events and integrating logs with SIEM tools for monitoring.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet.html
To address these risks, developers and administrators should customize all framework settings, disable unnecessary features, and monitor for vulnerabilities. Regular audits, adherence to OWASP Top Ten guidelines, and testing with tools like OWASP ZAP or Burp Suite ensure secure configurations.