These docs are for v1.1. Click to read the latest docs for v1.2.

Default Login Location

Severity: Low
Test name: Default Login Location

Some web applications have an administrative login section that allows administrating the application content. Default Login Location vulnerability means that an attacker is able to get control over such a section without authentication or via authorization with the default credentials. It is possible if managing interfaces are not properly protected from unauthorized access or the default password has not been changed (the credentials have not been removed).


This vulnerability allows an attacker to get access to:

  • User account provisioning
  • Website design and layout
  • Data manipulation
  • Configuration changes

The issue can be found in the source code on the server side.

Remedy suggestions
  • Administrative section must have authentication. That means each action in that section should be authenticated.
  • URL for the login form should not be shown on your public website.
  • Default Login Location should be changed if possible.
  • Administrative section should be closed for search bots. Example of robots.txt:
User-agent: *
Disallow: /admin
  • Comments and links with the information about the default login form should be removed from the HTML code shown by the client application.
  • Remove the default credentials or change the password.
  • Enable Brute Force Protection for the login form.
  • CWE-287
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N