https://www.youtube.com/watch?v=BrdEdFLKnwA ("admin/admin" or similar). If these aren't changed, an assailant can literally just log in. Typically the Mirai botnet inside 2016 famously afflicted thousands of IoT devices by merely trying a list of default passwords for gadgets like routers plus cameras, since consumers rarely changed all of them. - Directory real estate enabled on a net server, exposing most files if simply no index page is usually present. This may reveal sensitive files. - Leaving debug mode or verbose error messages on in production. Debug pages can provide a wealth involving info (stack finds, database credentials, inside IPs). Even mistake messages that happen to be too detailed can help an opponent fine-tune an take advantage of. - Not setting up security headers such as CSP, X-Content-Type-Options, X-Frame-Options, etc., which can leave the software vulnerable to attacks just like clickjacking or content type confusion. -- Misconfigured cloud safe-keeping (like an AWS S3 bucket set to public if it should be private) – this kind of has triggered several data leaks wherever backup files or perhaps logs were widely accessible as a result of one configuration flag. instructions Running outdated software program with known vulnerabilities is sometimes regarded as a misconfiguration or perhaps an instance involving using vulnerable parts (which is it is own category, often overlapping). - Inappropriate configuration of accessibility control in fog up or container conditions (for instance, the Capital One breach we described also can be observed as some sort of misconfiguration: an AWS role had overly broad permissions KREBSONSECURITY. COM ). rapid **Real-world impact**: Misconfigurations have caused a great deal of breaches. One of these: in 2018 a good attacker accessed the AWS S3 storage space bucket of a federal agency because it was unintentionally left community; it contained very sensitive files. In website apps, a tiny misconfiguration may be