Security misconfigurations can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and preinstalled virtual machines, containers, and storage. Such flaws frequently give attackers unauthorized access to system data or functionality, occasionally even resulting in a complete system compromise.
Another example of the prevalence of security misconfigurations, application misconfiguration is the fifth-most-dangerous risk on the OWASP Top 10 list of vulnerabilities.
Many applications come with developer features such as debug and QA features that are dangerously unsafe if not deactivated when deployed. Configuration files that are not properly locked down may reveal clear text (unencrypted text that can be read by anyone), and default settings in configuration files may not have been set with security in mind.