A common question in web application tests is whether it is necessary to scan the admin interface. Users with an average level of rights can't log in anyway, so you can't expect a threat from that direction. But is that really so?
The admin interface is typically well separated from the “normal” interface of our web application. This is usually a webpage available on a separate domain, if all goes well, only under special conditions. On these pages, our employees manage the data of our customers and troubleshoot any problems that arise.
In a web application assessment, this is usually the point where money can be saved –because it can be assumed that restricting access can be sufficient protection to keep our data safe.
According to an IBM 2016 report, 60% of data thefts were committed with the help of employees or by the employees. Where is the point where our employees have access to our customers’ data? In the admin interface.
What types of tests are worth performing in the admin interface?
As a first step it is best to extend the web application test with a black box test against the administration site. This will ensure that the interface is properly protected from the Internet. This can even include password hacking attempts against the login interface. In this case, we compile a list of possible users based on the data available on the internet and try to log in with the most common passwords.
It is then recommended to perform a very thorough gray box test that covers all user levels. It must be examined whether each user level is properly separated, whether the required privileges are properly applied and whether, in general, the principle of the lowest possible privilege applies.
In addition, each feature must be tested for proper operation and the ability to unauthorizedly escalate the privileges to other users, files, and resources. It is important to check whether the file download function can really download files uploaded by clients only. It is a common mistake to download the application source code with a little parameter manipulation. In this case, you can usually also access the configuration files, which already contain the credentials needed to access the database.
Unfortunately, our experience shows that the admin interface is usually a cabinet full of skeletons. For this reason, our assessment is often followed by further analysis to determine whether the vulnerabilities found have been exploited by malicious staff in the past period.
Entrust us with the examination of the admin interface! Our company has nearly 10 years of experience in testing web applications. Don’t hesitate to contact us!