A05 — Security Misconfiguration Insecure

1000-ft view: this page intentionally shows misconfigured settings that leak sensitive details or weaken controls. Use it to understand the risks before viewing the secure fixes.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — phpinfo() Exposure

Leaking environment & server details

Why it’s bad: phpinfo() dumps versions, extensions, paths, env vars and more— a recon goldmine for attackers.

  1. Click Show phpinfo() to load the raw output.
  2. Scan for modules, paths, and environment details.

Attack 2 — Verbose Errors & Stack Traces

display_errors = On

Why it’s bad: detailed errors reveal file paths, queries, and code locations—perfect for targeted exploitation.

  1. Click Trigger insecure error to render a noisy error page.
  2. Note stack traces / warnings in the iframe.

Attack 3 — Directory Listing

Options Indexes (enabled)

Why it’s bad: auto-indexing leaks filenames and structure—useful for finding secrets and admin paths.

  1. Open the files directory and observe the raw listing.
  2. If you don’t see a listing, ensure .htaccess_insecure is active as .htaccess.
Open raw listing

Attack 4 — Exposed Config / .env

Directly fetchable secrets

Why it’s bad: storing configs/secrets in webroot or allowing direct access exposes keys and passwords.

  1. Open the exposed .env file.
  2. Open the exposed config.php file.
Open .env Open config.php

Attack 5 — Default Credentials

admin / admin works

Why it’s bad: shipping with known defaults lets attackers walk right in.

  1. Submit admin / admin to access the demo panel.
  2. Try other creds to see that it doesn’t enforce changes.