Administrator page is a page present in all web applications to allow certain users to undertake privileged activities on the site. The privileged activities include changing the features of the web application like the site design, data manipulation and so on. There are many web applications that don’t provide sufficient security from unauthorised attackers. An attacker can find the vulnerability in the following ways:-
- Directory & file enumeration: Attempting to guess the path of administrator page.
- Brute force using common administrator page names.
- Reviewing server & application documentation: Accessing the server documentation of common servers like Apache.
- Alternative server port: Using different port numbers to access the administrator page.
- Parameter tampering: Accessing the cookie or parameters GET and POST to find administrator page.
Impact
Using this vulnerability, an attacker can:-
- gain complete access to the application.
- perform manipulation of data.
- leak sensitive information.
- read, update and delete sensitive data/tables from the database.
- execute commands on the underlying operating system.
Mitigation / Precaution
Beagle recommends the following impacts:-
- install the updated patches.
- Use a website application firewall.
- try to password protect admin directory.
- use strong passwords.
- try to implement 2-step verification.
- limit the login attempts.
- limit access to few IP addresses.
- disable login hints
- create a custom login and registration page.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.