Default Script Hacks in Web Applications
Poorly written web programs, such as Hypertext Preprocessor (PHP) and Active Server Pages (ASP) scripts, can allow hackers to view and manipulate files on a web server and do other things they’re not authorized to do.
These flaws are also common in content management systems (CMSs) that are used by developers, IT staff, and marketing professionals to maintain a website’s content. Default script attacks are common because so much poorly written code is freely accessible on websites. Hackers can also take advantage of various sample scripts that install on web servers, especially older versions of Microsoft’s IIS web server.
Many web developers and webmasters use these scripts without understanding how they really work or without testing them, which can introduce serious security vulnerabilities.
To test for script vulnerabilities, you can peruse scripts manually or use a text search tool to find any hard-coded usernames, passwords, and other sensitive information. Search for admin, root, user, ID, login, signon, password, pass, pwd, and so on. Sensitive information embedded in scripts like this is rarely necessary and is often the result of poor coding practices that give precedence to convenience over security.
You can help prevent attacks against default web scripts as follows:
Know how scripts work before deploying them within a web environment.
Make sure that all default or sample scripts are removed from the web server before using them.
Don’t use publicly accessible scripts that contain hard-coded confidential information. They’re a security incident in the making.
Set file permissions on sensitive areas of your site/application to prevent public access.