Are you hosting a web application that’s public? If yes, there’s a likely chance that the web application has help files or pages exposed. Usually these help pages are accessible publicly and may assist a hacker during recon about your company’s application. From personal experience, your web application is the first place I look for help files, before searching the internet to become more familiar with the application being hosted.
All web applications that provide these types of help pages, provide an array of content about the application being hosted. Some of the information that may be obtained are:
- How to use the web application and built-in features
- The default configuration of the web application, such as user name/password, open ports, directory paths
- The history of the web application, such as product updates, bug fixes, security bulletins
- Disclose sensitive information about the web application, such as product, database and language versions being used
- In some cases, may provide information not readily found on the internet
Below are some example web applications that do provide help pages:
- WordPress and Plugins
- Zoho Products
- Liquid Files
- PRTG Network Monitor
- Kentico CMS
Most help pages are provided by the web application to assist the IT department with the installation, configuration, upgrading, or to administrate the application. In many cases, these help pages can be deleted after the deployment of the application. This is usually a step often missed by the IT department and is why hackers look for this when inspecting your application.
Often, it’s the simplest thing that may cause your company to fall victim to a data breach or intrusion. Company’s should have a penetration test conducted at least once a year or when there are any drastic changes make to their infrastructure.
Falcon Network Services provides an assortment of Security Services which includes penetration testing for your web applications. Help protect your company’s infrastructure today, visit https://fns1.com or email firstname.lastname@example.org
OUR SECURITY SERVICES INCLUDE:
- Risk Assessments
- Penetration Testing
- Web Application Testing
- Security Awareness Training
- Managed SIEM
- Managed Security Services (MSSP)
- Security Consulting