SCENARIO

You are conducting a black-box external web application penetration test against Meridian Health, a regional healthcare provider. The client suspects their patient portal has configuration issues but does not know the extent. Find and document all security misconfigurations.

METHODOLOGY

Security Misconfiguration findings are discovered through exploration and observation — not exploitation of application logic. Browse the application carefully. Think about what should not be accessible from the outside. Try common paths. Inspect what the server reveals about itself.

WHAT TO LOOK FOR

• Administrative interfaces accessible without strong authentication
• Default or weak credentials on any login
• Directory listings revealing file structure
• Verbose error messages leaking internal details
• Unnecessary or dangerous HTTP methods enabled
• Missing or misconfigured security response headers
• Sensitive files accessible without authorisation

DELIVERABLE

A complete findings report documenting all misconfigurations discovered, their individual risk ratings, chained impact, and specific remediation steps for each. The report is scored on coverage and quality.