Administration page exposure
OWASP 2013-A7 OWASP 2017-A5 OWASP 2021-A1 OWASP 2019-API7 PCI v3.2-6.5.8 OWASP PC-C7 CAPEC-87 CWE-425 HIPAA-164.306(a) & HIPAA-164.308(a) ISO27001-A.9.4.1 WASC-34 WSTG-CONF-05
Administrator page is a page present in all web applications to allow certain users to undertake privileged activities on the site. The privileged activities include changing the features of the web application like the site design, data manipulation and so on. There are many web applications that don’t provide sufficient security from unauthorised attackers. An attacker can find the vulnerability in the following ways:-
- Directory & file enumeration: Attempting to guess the path of administrator page.
- Brute force using common administrator page names.
- Reviewing server & application documentation: Accessing the server documentation of common servers like Apache.
- Alternative server port: Using different port numbers to access the administrator page.
- Parameter tampering: Accessing the cookie or parameters GET and POST to find administrator page.
Using this vulnerability, an attacker can:-
- gain complete access to the application.
- perform manipulation of data.
- leak sensitive information.
- read, update and delete sensitive data/tables from the database.
- execute commands on the underlying operating system.
Mitigation / Precaution
Beagle recommends the following impacts:-
- install the updated patches.
- Use a website application firewall.
- try to password protect admin directory.
- use strong passwords.
- try to implement 2-step verification.
- limit the login attempts.
- limit access to few IP addresses.
- disable login hints
- create a custom login and registration page.