Web Server Default Welcome Page

"Default web page" vulnerability is useful to detect unused Web server that are active on a server. Very often, stopping the Web server solves a lot of other vulnerabilities, related to the (useless) Web site.

But very often, there's a necessary Web site, running properly, whose "default web page" is either a redirection or an authentication page.

The flaw is due to misconfiguration of Server, which allows to access default pages when the server is not used. Successful exploitation will allow remote attackers to obtain sensitive information that could aid in further attacks.

  • change the name of the default web page for your domain.
  • tomcat-server-disable-or-rm-default-page


Apache

  • If you have permission to edit the master configuration files Edit the files httpd.conf and srm.conf file and do the following:
    Find this line.
    DirectoryIndex index.html
    and change it as follows:
    DirectoryIndex index.shtml index.html
  • Changing The Default Page using .htaccess

If you are unable to edit your master configuration files, you can use this directive from .htaccess. Just edit the .htaccess file located in your main HTML directory. If you do not have this file, feel free to create it! To change the default page, either edit the existingDirectoryIndex line or add the following: DirectoryIndex index.shtml index.html This will make index.shtml the default page.


IIS

<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="Path of your Page" />
</files>
</defaultDocument>
</system.webServer>
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<add value="home.html" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

Manually :

  • From the Administrative Tools menu, click Internet Information Services (IIS) Manager.
  • In IIS Manager, click the server name node, and then scroll to locate the Default Document icon.
  • Double click Default Document.