A05 — Security Misconfiguration Secure

1000-ft view: this module shows common configuration mistakes that leak sensitive info or relax controls. On the secure page, each demo shows how to harden the config while keeping usability.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — phpinfo() Exposure

Safe status page instead of phpinfo()

Secure idea: never expose phpinfo() publicly. Provide a minimal “status” view for operators without sensitive paths, env vars, or module config.

  1. Click Show safe status to render sanitized info.
  2. (For comparison on the insecure page you’ll see raw phpinfo().)

Attack 2 — Verbose Errors & Stack Traces

display_errors = Off, log to file

Secure idea: show a friendly message to users and log details to a protected file. Don’t leak stack traces to the browser.

  1. Click Trigger secure error to load the safe handler.
  2. Check the UI message; technical details are logged to /a05_misconfig/logs/app.log.

Attack 3 — Directory Listing

Options -Indexes

Secure idea: disable auto-indexing so raw folder contents aren’t exposed.

  1. Open the secure directory view (should show the index page, not a file list).
  2. On the insecure page, you’ll see a listing when Options Indexes is enabled.
Open secure directory view

Attack 4 — Exposed Config / .env

Deny from all / move outside webroot

Secure idea: keep secrets outside the webroot or block direct access with server rules.

  1. Try opening the protected config path (should be Forbidden).
  2. On the insecure page, the same path reveals fake secrets for demo.
Open protected config

Attack 5 — Default Credentials

Force change / disable defaults

Secure idea: block well-known defaults (e.g., admin/admin), force a change at first login, and disable built-in accounts where possible.

  1. Try logging in with admin/admin (should be blocked).
  2. Try any other credentials to see “non-default allowed” (demo only).