0

I'm sorry for that novice question, however as a beginner I'm wondering:

isn't there a security problem if I deploy an application (e.g. on Tomcat) and I can access this via a Web-Interface, where I can login with a default username and password? Of course you have to change that login data, however isn't it possible that someone uses the time between deployment and changing login data (even if it's only seconds) to take control over the application? Couldn't attackers scan for servers with such applications and try to login with the respective default login data? I don't know if there's a motive for such attacks, as long as the applications themselves are save and you can't attack the server itself.

When installing Tomcat however, you have to specify login data in an xml-file, which you can only access as root, right? So this one seems to be safe in this respect.

Sorry for that novice question. I've searched the web for quite some time, but didn't find a specific answer.

Thank you

DSchiff
  • 3
  • 1

1 Answers1

0

I debated a bit with myself if this should be closed as "too broad" or "primarily opinion based" but decided to come up with an answer anyways.

In theory - if you deploy a web application that is accessible from the public internet with a default username/password combination then anyone can obviously login and change that login info before you do it yourself.

However, I see more and more applications asking for a admin username/password as a part of the initial deployment which then would be considered safe.

If you know you are going to deploy an application that uses a default username/password combination you should prevent access to the server for anyone but yourself until you have had the time to setup a proper password.

Realistically I don't think it is a problem since it would require the scanner/hacker hitting your site at the time it is vulnerable which hopefully isn't more than a couple of minutes at max

Frederik
  • 3,293
  • 3
  • 30
  • 46
  • Thank you. Indeed, restricting IP access on Tomcat until having changed the application login data is a solution. So the idea of hackers, scanning for unsafe applications on big scale is probably wrong. I thought there might be people scanning servers of cloud companies all the time searching for non-secure applications and hijacking your application within miliseconds even before you have the possibility to change them yourself via the Web Interface. Thank you for clarification! – DSchiff Apr 24 '16 at 15:24
  • There are probably people scanning all the time but with the amount of servers to scan and analyzing each one it won't happen as fast as you think – Frederik Apr 25 '16 at 08:27