AnsweredAssumed Answered

"Default web page" vulnerability : false positives?

Question asked by Eric Vautier on Nov 25, 2011

"Default web page" vulnerability is useful to detect unused Web server that are active on a server. Very often, stopping the Web server solves a lot of other vulnerabilities, related to the (useless) Web site.

 

But very often, there's a necessary Web site, running properly, whose "default web page" is either a redirection or an authentication page (see examples below). These are false positives.

 

We have quite a number of these, it's very very long to mark each one of them as alse positives. Is there a workaround?

 

Many thanks in advance

Eric

 

Redirection :

Date: Wed, 09 Nov 2011 05:19:11 GMTServer: CompaqHTTPServer/9.9 HP System Management Homepage/3.0.1.73 httpd/2.2.6+Location: /red2301.html?RedirectUrl=/Set-Cookie: Compaq-HMMD=0001-eb3614eb-15d8-2644-ba6c-65f01154c83e-1320815951378443; path=/Content-Length: 211Connection: closeContent-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC ""-//IETF//DTD HTML 2.0//EN""><html><head><title>302 Found</title></head><body> Found  The document has moved here (/red2301.html?RedirectUrl=/).</p></body></html>

 

Authentication :

Content-Length: 1656Content-Type: text/htmlServer: Microsoft-IIS/6.0WWW-Authenticate: NTLMX-Powered-By: ASP.NETDate: Tue, 08 Nov 2011 04:50:54 GMTConnection: close<!DOCTYPE HTML PUBLIC ""-//W3C//DTD HTML 4.01//EN"" ""http://www.w3.org/TR/html4/strict.dtd""><HTML><HEAD><TITLE>You are not authorized to view this page</TITLE><META HTTP-EQUIV=""Content-Type"" Content=""text/html; charset=Windows-1252""><STYLE type=""text/css"">BODY { font: 8pt/12pt verdana }H1 { font: 13pt/15pt verdana }H2 { font: 8pt/12pt verdana }A:link { color: red }A:visited { color: maroon }</STYLE></HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD> You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.  </p>

Outcomes