-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0701
"Domain is listening on a development/backend port: ${dev_port} (${dev_port_comment})"
In the message output the variable
The standard HTTP port is 80, the standard HTTPS port is 443. Often the web server handles all public access to the content through these two ports.
Sometimes a web server is used also for experiments during development. Then other ports are configured for the web sites during the development.
Access to the development versions should not be granted to a possible attacker. The development version could contain internal information. Also, security issues could be in the development version before the web site passed the release tests.
Therefore, no connection to development ports should be possible for public clients.
Current (November 2020) the twa script checks the port numbers:
| port | comment |
|---|---|
| 1433 | Microsoft SQL Server default port |
| 3000 | node.js (express.js), ruby on rails |
| 3050 | Interbase, Firebird default port |
| 3306 | MySQL and MariaDB default port |
| 4443 | common https development port |
| 4567 | sinatra default port |
| 5000 | Flask and Kestrel default port |
| 5432 | PostgreSQL default port |
| 6379 | Redis default port |
| 8000 | common http development port |
| 8008 | common http development port |
| 8080 | common http development port |
| 8081 | common http development port |
| 8086 | InfluxDB HTTP service default port |
| 8088 | common http development port |
| 8093 | Couchbase Query service REST traffic |
| 8443 | common https development port |
| 8888 | common http development port |
| 9200 | Elasticsearch REST API default port |
| 9292 | rack default port |
| 27017 | MongoDB default port |
| 33060 | MySQL X-Protocol default port |
The twa script checks only a few common used ports. It is not the aim to check most ports. The twa script should not be a port scanner tool. There exists specialized tools to scan for all open ports like nmap.
Options:
- Use an internal machine for the development.
- Configurate the firewall to allow only access from the development team workstation IP numbers.
- Configurate the development web server to allow connection only to the development team workstation IP numbers.
Hint: A check of all TCP ports with a port scanner like nmap should be started. If twa has found one unintended open port, then there could be more open ports.