Default welcome page exposure refers to default settings pages left neglected on the attack surface while the system is active. They are most commonly encountered at the beginning stages of installing and running systems, and are used to perform setup tasks.

How Hackers Exploit Exposed Default Welcome Page

It should be noted that there are more default welcome page systems than one would reasonably expect on the attack surface. These webpages are heavily favored by threat actors, as they contain plenty of exploitable information. It is this wealth of data that makes exposed default welcome pages massive security vulnerabilities for the web system.

Therefore, we must discuss the precise processes hackers use to search and analyze target infrastructure information using exposed default welcome pages. There are two types of default pages that users may encounter: first, the default welcome pages seen when installing, and second, error pages.

Criminal IP (https://www.criminalip.io), as a superior search engine for the IoT, provides precise search filters to aid users in unearthing various types of default welcome pages for their perusal.

Those with experience in operating a system can, of course, identify default welcome pages with basic common sense, even without precise knowledge of the application being handled. By searching with the keyword ‘System Information’ on CIP’s Asset Search (https://www.criminalip.io/asset), one can easily find exposed default welcome pages on the vulnerable open web. Users can also narrow down their search results by filtering for pages with server status code 200. On top of that, adding the country code and their corresponding port numbers can yield fascinating results.

https://www.criminalip.io/asset/search?query=%22System%20Information%22%20status_code:%22200%22

“System Information” status_code:”200″

Vulnerable default welcome page found with the 'System Information' keyword

Vulnerable default welcome page found with the ‘System Information’ keyword

Inputting ‘System Information’ in CIP’s search database yielded a default welcome page with the keyword as its HTML Title string. Once accessed, this website displayed sensitive information such as Site Info, FileSystem Spec and System Uptime—all of which provide critical information on the server’s computing environment.

Default welcome page found containing the 'System Information' keyword, revealing sensitive details of this server's computing environment

The default welcome page was found containing the ‘System Information’ keyword, revealing sensitive details of this server’s computing environment.

Common Keywords for Default Welcome Pages

“Status” is yet another keyword often found in default welcome pages, often alongside “System Information”. If you click the search link below, you can find plenty of default welcome pages that use “Status” as their HTML title. This particular example, as shown in the screenshot, seems to be the default administrator page of wireless WIFI equipment.

https://www.criminalip.io/asset/search?query=title:%22Status%22%20status_code:200

Vulnerable default welcome pages found with the "Status" keyword as the page title

The vulnerable default welcome page found with the “Status” keyword as the page title

This particular default welcome page allowed users to access system specifics without any authentication. Upon further investigation, the CIP team determined that this web server is a default page for wireless Wifi equipment from Arris International Limited, an American telecommunications equipment company. Having this default welcome page exposed to the attack surface poses a significant security threat that could even alter equipment function and possibly sabotage device control indefinitely.

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Arris International Limited Wireless Wifi Equipment Default Welcome Page

Inputting additional keywords pertaining to default welcome page exposure vulnerabilities can narrow down results to pinpoint precision. A good example would be adding the keyword “Panel” before “Status” to yield results pertaining to default welcome pages of Wifi & LTE device equipment.

https://www.criminalip.io/asset/search?query=title:%22Panel%20Status%22

Search results of the query title:"Panel Status"

Search results of the query title:”Panel Status”

Exposed device default welcome page on the open web, found with query title:"Panel Status"

Exposed device default welcome page on the open web, found with query title:”Panel Status”

System Error Messages as an Attack Surface

Default error pages pop up when the system encounters an unexpected issue. Computing systems have their unique error page, and they all provide specific information about their host system. Instructions for finding default welcome pages are as written above. For example, entering the string “Object reference not set to an instance of an object” yielded  ASP.NET‘s error page immediately, with said string acting as the error page’s HTML title.

https://www.criminalip.io/asset/search?query=%20Object%20reference%20not%20set%20to%20an%20instance%20of%20an%20object

Criminal IP Asset Search results for inputting ASP.NET's error page string

Criminal IP Asset Search results for inputting ASP.NET’s error page string

The retrieved error page exposes a portion of the source code that contains the error, and the Stack Trace for the time of the error provides information about the web application.

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Source code partially exposed on the error page, along with web application information shown via Stack Trace

Neglected Default Welcome Pages Floating on Cloud Servers

There are plenty of cases where default welcome page exposure vulnerabilities are left unattended on cloud servers. Firebase Cloud Messaging (FCM), a free messaging service server provided by Google, allows users to send messages on a per-app basis. Searching for a web server on Criminal IP Asset Search (https://www.criminalip.io/asset) with “Firebase Cloud Messaging” as the HTML title may yield interesting results.

https://www.criminalip.io/asset/search?query=title:Firebase%20Cloud%20Messaging

Search results of the query "title:Firebase Cloud Messaging"

Search results of the query “title:Firebase Cloud Messaging”

Case of Default Welcome Page Exposure for Firebase Cloud Messaging Systems

Case of Default Welcome Page Exposure for Firebase Cloud Messaging Systems

As seen in the example above, FCM’s default welcome page is currently exposed to the open web. This default page sometimes contains Instance ID Token information, also known as the app ID value. Having these token values/API keys leaked can become the root cause of a serious cyber attack. You can read more about this on our blog, where we cover how API keys can be a party to credential leakage.

We plan to cover security threats posed by default welcome pages left unattended in AWS as the second part of our holistic coverage of this issue.

Source : Criminal IP (https://www.criminalip.io)

Related Articles :

API Key, a Key to Credential Leakage & Manipulation