Default welcome page exposure describes blank preference web pages left neglected on the attack surface. They are most commonly encountered at the beginning stages of installing and running systems, and are used to perform setup tasks.

How Hackers Exploit Exposed Default Welcome Page

It should be noted that there are more default welcome page systems than one would reasonably expect on the attack surface. These webpages are heavily favored by threat actors, as they contain plenty of exploitable information. It is this wealth of data that makes exposed default welcome pages massive security vulnerabilities for the web system.

Therefore, we must discuss the precise processes hackers use to search and analyze target infrastructure information using exposed default welcome pages. There are two types of default welcome pages accessible to the user: the first are blank pages seen at the start of installation processes, and the second are error pages.

Criminal IP (https://www.criminalip.io), as a superior search engine for the IoT, provides precise search filters to aid users in unearthing various types of default welcome pages for their perusal.

Those with experience in operating a system can, of course, identify default welcome pages with basic common sense, even without precise knowledge of the application being handled. By searching with the keyword ‘System Information’ on CIP’s Asset Search (https://www.criminalip.io/asset), one can easily find exposed default welcome pages on the vulnerable open web. Users can also narrow down their search results by filtering for pages with server status code 200. On top of that, adding the country code and their corresponding port numbers can yield fascinating results.

https://www.criminalip.io/asset/search?query=%22System%20Information%22%20status_code:%22200%22

“System Information” status_code:”200″

Vulnerable default welcome page found with the 'System Information' keyword

Vulnerable default welcome page found with the ‘System Information’ keyword

Inputting ‘System Information’ in CIP’s search database yielded a default welcome page with the keyword as its HTML Title string. Once accessed, this website displayed sensitive information such as Site Info, FileSystem Spec and System Uptime—all of which provide critical information on the server’s computing environment.

Default welcome page found containing the 'System Information' keyword, revealing sensitive details of this server's computing environment

Default welcome page found containing the ‘System Information’ keyword, revealing sensitive details of this server’s computing environment

Common Keywords for Default Welcome Pages

“Status” is yet another keyword often found in default welcome pages, often alongside “System Information”. As seen in the image below, plenty of default welcome pages use “Status” as their HTML title. This particular example, as shown in the screenshot, seems to be the default administrator page of wireless WIFI equipment.

https://www.criminalip.io/asset/search?query=title:%22Status%22%20status_code:200

Vulnerable default welcome pages found with the "Status" keyword as the page title

Vulnerable default welcome pages found with the “Status” keyword as the page title

This particular default welcome page allowed users to access system specifics without any authentication. Upon further investigation, CIP team determined that this web server is a default page for wireless Wifi equipment from Arris International Limited, an American telecommunications equipment company. Having this default welcome page exposed to the attack surface poses a significant security threat that could even alter equipment function and possibly sabotage device control indefinitely.

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Inputting additional keywords pertaining to default welcome page exposure vulnerabilities can narrow down results to pinpoint precision. A good example for this would be adding the keyword “Panel” in front of “Status” in order to yield results pertaining to default welcome pages of Wifi & LTE device equipment.

https://www.criminalip.io/asset/search?query=title:%22Panel%20Status%22

Search results of the query title:"Panel Status"

Search results of the query title:”Panel Status”

Exposed device default welcome page on the open web, found with query title:"Panel Status"

Exposed device default welcome page on the open web, found with query title:”Panel Status”

System Error Messages as an Attack Surface

Default error pages pop up when the system encounters an unexpected issue. Computing systems have their own unique error page, and they all provide specific information that pertain to their host system. Instructions for finding default welcome pages are as written above. For example, entering the string “Object reference not set to an instance of an object” yielded  ASP.NET‘s error page immediately, with said string acting as the error page’s HTML title.

https://www.criminalip.io/asset/search?query=%20Object%20reference%20not%20set%20to%20an%20instance%20of%20an%20object

Criminal IP Asset Search results for inputting ASP.NET's error page string

Criminal IP Asset Search results for inputting ASP.NET’s error page string

Looking through the error page shows that the website’s source code is partially exposed, and Stack Tracing the time of error can yield app information.

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Neglected Default Welcome Pages Floating on Cloud Servers

There are plenty of cases where default welcome page exposure vulnerabilities are left unattended on cloud servers. Firebase Cloud Messaging (FCM), a free messaging service server provided by Google, allows users to send messages on a per-app basis. Searching for a web server on Criminal IP Asset Search (https://www.criminalip.io/asset) with “Firebase Cloud Messaging” as the HTML title may yield interesting results.

https://www.criminalip.io/asset/search?query=title:Firebase%20Cloud%20Messaging

Search results of the query "title:Firebase Cloud Messaging"

Search results of the query “title:Firebase Cloud Messaging”

Case of Default Welcome Page Exposure for Firebase Cloud Messaging Systems

Case of Default Welcome Page Exposure for Firebase Cloud Messaging Systems

As seen in the example above, FCM’s default welcome page is currently exposed to the open web. This webpage at times contains Instance ID Token information, also known as the app ID value. Having these token values/API keys leaked can become the root cause of a serious cyber attack. You can read more about this on our blog, where we cover how API keys can be a party to credential leakage.

We plan to cover security threats posed by default welcome pages left unattended in AWS, as the second part to our holistic coverage of this issue.


Source : Criminal IP (https://www.criminalip.io)

Related Articles :