Common Administration Interfaces
OWASP 2013-A7 OWASP 2017-A5 OWASP PC-C7 CAPEC-1 WASC-15
Administrator interfaces are usually present in the application server. It is used to allow certain users to conduct privileged activities on the web application. A web application requires an administrator interface to access functionality to enabled users. The changes may include:
- User account management: The user management involves managing the users that have access to the server.
- Site design management: The site design management involves management of site’s UI.
- Data management: The data management involves the management of data present in the server.
- Configuration management: The configuration management is the management of the server’s configuration. Many servers fail to allow certain administrator interfaces for users to undertake privileged activities on the web application. The attacker can access functionalities using privileged access on the web application and can completely take over the server. This vulnerability can be exploited by executing malicious PHP code on the web server.
Using this vulnerability, an attacker can:-
- gain complete access to the server.
- steal sensitive information about the server.
- perform a complete takeover of the server.
If an attacker gets access to administration interfaces, he can completely comprise the application and the server.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Regularly use software testing methods. The methods include Black Box Testing, Gray Box Testing etc to find bugs in the server.