Default welcome page exposure refers to default settings pages left neglected on the attack surface while the system is active. They are most commonly encountered at the beginning stages of installing and running systems, and are used to perform setup tasks.
How Hackers Exploit Exposed Default Welcome Page
It should be noted that there are more default welcome page systems than one would reasonably expect on the attack surface. These webpages are heavily favored by threat actors, as they contain plenty of exploitable information. It is this wealth of data that makes exposed default welcome pages massive security vulnerabilities for the web system.
Therefore, we must discuss the precise processes hackers use to search and analyze target infrastructure information using exposed default welcome pages. There are two types of default pages that users may encounter: first, the default welcome pages seen when installing, and second, error pages.
Criminal IP (https://www.criminalip.io), as a superior search engine for the IoT, provides precise search filters to aid users in unearthing various types of default welcome pages for their perusal.
Those with experience in operating a system can, of course, identify default welcome pages with basic common sense, even without precise knowledge of the application being handled. By searching with the keyword ‘System Information’ on CIP’s Asset Search (https://www.criminalip.io/asset), one can easily find exposed default welcome pages on the vulnerable open web. Users can also narrow down their search results by filtering for pages with server status code 200. On top of that, adding the country code and their corresponding port numbers can yield fascinating results.
https://www.criminalip.io/asset/search?query=%22System%20Information%22%20status_code:%22200%22
“System Information” status_code:”200″

Vulnerable default welcome page found with the ‘System Information’ keyword
Inputting ‘System Information’ in CIP’s search database yielded a default welcome page with the keyword as its HTML Title string. Once accessed, this website displayed sensitive information such as Site Info, FileSystem Spec and System Uptime—all of which provide critical information on the server’s computing environment.

The default welcome page was found containing the ‘System Information’ keyword, revealing sensitive details of this server’s computing environment.
Common Keywords for Default Welcome Pages
“Status” is yet another keyword often found in default welcome pages, often alongside “System Information”. If you click the search link below, you can find plenty of default welcome pages that use “Status” as their HTML title. This particular example, as shown in the screenshot, seems to be the default administrator page of wireless WIFI equipment.
https://www.criminalip.io/asset/search?query=title:%22Status%22%20status_code:200

The vulnerable default welcome page found with the “Status” keyword as the page title
This particular default welcome page allowed users to access system specifics without any authentication. Upon further investigation, the CIP team determined that this web server is a default page for wireless Wifi equipment from Arris International Limited, an American telecommunications equipment company. Having this default welcome page exposed to the attack surface poses a significant security threat that could even alter equipment function and possibly sabotage device control indefinitely.

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page
Inputting additional keywords pertaining to default welcome page exposure vulnerabilities can narrow down results to pinpoint precision. A good example would be adding the keyword “Panel” before “Status” to yield results pertaining to default welcome pages of Wifi & LTE device equipment.
https://www.criminalip.io/asset/search?query=title:%22Panel%20Status%22

Search results of the query title:”Panel Status”

Exposed device default welcome page on the open web, found with query title:”Panel Status”
System Error Messages as an Attack Surface
Default error pages pop up when the system encounters an unexpected issue. Computing systems have their unique error page, and they all provide specific information about their host system. Instructions for finding default welcome pages are as written above. For example, entering the string “Object reference not set to an instance of an object” yielded ASP.NET‘s error page immediately, with said string acting as the error page’s HTML title.

Criminal IP Asset Search results for inputting ASP.NET’s error page string
The retrieved error page exposes a portion of the source code that contains the error, and the Stack Trace for the time of the error provides information about the web application.

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace
Neglected Default Welcome Pages Floating on Cloud Servers
There are plenty of cases where default welcome page exposure vulnerabilities are left unattended on cloud servers. Firebase Cloud Messaging (FCM), a free messaging service server provided by Google, allows users to send messages on a per-app basis. Searching for a web server on Criminal IP Asset Search (https://www.criminalip.io/asset) with “Firebase Cloud Messaging” as the HTML title may yield interesting results.
https://www.criminalip.io/asset/search?query=title:Firebase%20Cloud%20Messaging

Search results of the query “title:Firebase Cloud Messaging”

Case of Default Welcome Page Exposure for Firebase Cloud Messaging Systems
As seen in the example above, FCM’s default welcome page is currently exposed to the open web. This default page sometimes contains Instance ID Token information, also known as the app ID value. Having these token values/API keys leaked can become the root cause of a serious cyber attack. You can read more about this on our blog, where we cover how API keys can be a party to credential leakage.
We plan to cover security threats posed by default welcome pages left unattended in AWS as the second part of our holistic coverage of this issue.
Source : Criminal IP (https://www.criminalip.io)
Related Articles :
[…] Reddit » Hacking August 25, 2022 written by Reddit » Hacking August 25, 2022 0 […]
[…] article is the second part to Default welcome page exposure: A Significant Security Risk, so it is heavily recommended that readers view the previous article […]
[…] We have previously covered the dangers of default welcome pages on our article, Default welcome page exposure: A Significant Security Risk. […]
[…] We have previously covered the dangers of default welcome pages on our article, Default welcome page exposure: A Significant Security Risk. […]
[…] refer to Default welcome page exposure: A Significant Security Risk, you can check the link […]