çSome
pages can be viewed without password
çIdeal
when web interface only on LAN
çTargets the internal user who can “see” the device’s web
interface
çSome preauth leaks are WAY TOO GOOD – ie: WEP keys or admin
passwords
çAdmin doesn’t need to be logged-in since device’s URL can be
viewed by anyone
çReal
example: BT Home Hub (tested on firmware 6.2.2.6 )