Web application default/weak credentials
Description
This web application is configured with default or weak credentials that can be easily guessed or obtained through brute force attacks.
Invicti successfully authenticated to the application using commonly known default credentials or weak passwords. Weak passwords are typically short, use common dictionary words, match system defaults, are based on usernames, or can be rapidly discovered through automated password guessing attacks. Default credentials are often published in vendor documentation or widely known within the security community.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediately change all default credentials:
- Replace all default usernames and passwords with unique, strong credentials
- Ensure no accounts use vendor-supplied default passwords
2. Implement a strong password policy:
- Require minimum password length of 12 characters
- Enforce complexity requirements (uppercase, lowercase, numbers, special characters)
- Prohibit common passwords and dictionary words
- Prevent password reuse across multiple accounts
- Implement password expiration for sensitive accounts
3. Add additional security controls:
- Implement multi-factor authentication (MFA) for all user accounts
- Enable account lockout after multiple failed login attempts
- Implement CAPTCHA or rate limiting to prevent automated brute force attacks
- Log and monitor authentication attempts for suspicious activity
4. For new deployments:
- Force password change on first login
- Do not ship applications with default credentials enabled in production environments
- Include security warnings in documentation about changing default credentials