What is Using Default Credentials Vulnerability? - ZOFixer Penetration Testing Tool

Application misconfiguration attacks make use of configuration flaws in online applications.
Misconfiguration of security settings can occur at any level of an application stack, including the platform, web server, application server, database, and framework.

Test Objectives

Determine whether the application has any user accounts with default passwords ( default credential ).
Review whether new user accounts are created with weak or predictable passwords ( default credential ).

Many apps include useless and dangerous functionality, such as debug and QA tools, that are activated by default. These characteristics may allow a hacker to circumvent authentication and obtain access to sensitive information, maybe with enhanced rights.

Similarly, default installations may have well-known usernames and passwords, hard-coded backdoor accounts, specific access methods, and inappropriate permissions configured for files accessible via web servers.

Here is a live sample scenario illustrating the Using Default Credentials vulnerability:

Scenario:
Let’s consider a web application called “SampleApp” that allows users to manage their personal information and sensitive data. During the development and deployment of SampleApp, the developers set up default credentials for administrative access to the application’s backend.

Live Sample:

When SampleApp is deployed, the default administrative username is set as “admin” and the password is set as “admin123.”
An attacker discovers that the application is using default credentials by performing reconnaissance on the application’s configuration files, reading documentation, or using automated tools that scan for common misconfigurations.
Armed with the knowledge of default credentials, the attacker attempts to log in to the administrative panel of SampleApp.
With successful login using the default credentials, the attacker gains full administrative privileges over the application. This means they can view, modify, or delete sensitive user data, manipulate settings, and potentially compromise the entire system.
The attacker can now escalate their attack further, potentially using this privileged access to perform more extensive damage, such as installing backdoors, defacing the application, or exfiltrating sensitive data.

Mitigation:

To prevent the Using Default Credentials vulnerability, developers and administrators should follow these best practices:

Change Default Credentials: Ensure that all default usernames and passwords are changed during the initial setup or installation of the application.
Use Strong Passwords: Encourage users to create strong, unique passwords and implement password complexity requirements to prevent weak or predictable passwords.
Least Privilege Principle: Grant only necessary permissions to user accounts, especially administrative accounts, and avoid granting excessive privileges.
Disable or Remove Unused Functionality: Disable or remove any unnecessary features, tools, or functionalities that could be exploited by attackers.
Regular Security Audits: Perform regular security audits and penetration testing to identify and address potential misconfigurations and vulnerabilities.
Secure Coding Practices: Follow secure coding practices to minimize the likelihood of introducing misconfigurations during the development process.

By implementing these security measures, the risk of Using Default Credentials vulnerability can be significantly reduced, enhancing the overall security posture of the application and protecting sensitive data from unauthorized access.

When looking for tools to check for security vulnerabilities, including default credentials, you can consider the following options:

Security Scanners: Security scanners like Nessus, OpenVAS, and Qualys offer vulnerability scanning and may include checks for default credentials as part of their assessments.
ZOFixer: ZOFixer is a popular web vulnerability scanner and security testing tool that may help in identifying misconfigurations, including default credentials.
OWASP Zap: OWASP Zap is a widely used open-source web application security scanner that may assist in finding security misconfigurations, including default credentials.
Nmap: Nmap is a powerful network scanning tool that can be used to identify open ports and potential security issues, including default credentials for certain services.
Manual Testing: While not a tool per se, manual testing by experienced security professionals can be one of the most effective ways to identify misconfigurations and default credentials.

Keep in mind that no tool can guarantee 100% coverage or accuracy in finding all vulnerabilities. Therefore, it’s essential to combine automated scanning tools with manual testing and security expertise for a comprehensive security assessment.

Here are the default user credentials for some of the popular firewalls for servers:

Cisco Secure Firewall: Username: admin, Password: admin
Check Point Next Generation Firewalls: Username: admin, Password: admin
pfSense: Username: admin, Password: pfsense
WatchGuard Network Security: Username: admin, Password: admin
FortiGate: Username: admin, Password: admin

Here are the default user credentials for some of the popular databases for servers:

MySQL:
- Username: root
- Password: empty (or whatever you set it to during installation)
Microsoft SQL Server:
- Username: sa
- Password: empty (or whatever you set it to during installation)
PostgreSQL:
- Username: postgres
- Password: empty (or whatever you set it to during installation)
MongoDB:
- Username: admin
- Password: empty (or whatever you set it to during installation)
Redis:
- Username: redis
- Password: empty (or whatever you set it to during installation)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.