WebPageTest Unauthorized Access Vulnerability
Description
WebPageTest is a web performance testing tool that uses real browsers to measure website performance and generate detailed analytics reports.
This installation is publicly accessible without authentication controls. WebPageTest is designed for use by trusted administrators only, as it provides direct access to internal browser automation capabilities and can be used to initiate requests to arbitrary URLs from the server's network context.
Remediation
Implement access controls to restrict WebPageTest to authorized users only. Choose one or more of the following approaches:
1. Network-level restrictions: Configure firewall rules or security groups to allow access only from trusted IP addresses or networks (e.g., corporate VPN, office networks).
2. Authentication layer: Place WebPageTest behind an authentication proxy such as:
- OAuth2 Proxy with SSO integration
- Basic authentication via reverse proxy (nginx, Apache)
- VPN-only access
3. Reverse proxy with authentication example (nginx):
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://webpagetest-backend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
4. Remove public access: If the instance is not actively used, disable public access entirely or decommission the service.
After implementing controls, verify that unauthenticated users cannot access the WebPageTest interface or submit test requests.