Identity Management / Use of Default Credentials
Use of Default Credentials is a type of vulnerability in identity management that occurs when a system or application uses a generic username and password combination that is known by many users. This is a security risk because it makes it easier for attackers to gain access to the system or application without having to guess or crack the password. According to the Common Weakness Enumeration (CWE) directory, this vulnerability can occur in web and API applications (CWE-798). The OWASP Testing Guide also lists this vulnerability as one that should be tested for (OWASP-AT-002).
Use of Default Credentials is a high risk vulnerability as it significantly reduces the security of the system or application. If attackers can gain access to the system or application with a generic username and password combination, they can potentially gain access to sensitive information or exploit other vulnerabilities in the system or application.
The most effective solution to this vulnerability is to not use generic usernames and passwords in the system or application. Instead, unique usernames and passwords should be used for each user. Additionally, password strength should be enforced and passwords should be periodically changed.
A code example of how this vulnerability can be exploited can be found on the Common Vulnerabilities and Exposures (CVE) directory. CVE-2018-3078 is an example of a vulnerability in an application where an attacker can exploit a default username and password combination to gain access to the application.