Administrative Interfaces Access is the ultimate goal of any attack whose objective is to gain administrator privilege on a target application server. Administrative Interface Attacks are usually implemented using any number of attack strategies including SQL injection, cross-site scripting, parameter tampering, etc. Administrative Interface access enables the attacker to gain total control of the application and possibly other parts of the network. It also enables implantation of backdoors for accessing the application in the future.
One of the most overlooked, but important categories of application security vulnerabilities are Remote Administration Flaws. Many products and applications, including security products, rely on the trusted nature of the environment in which they operate to maintain security. The products' designers assume that only authorized systems or users can gain access to the administrative interfaces, so they don't develop code to protect application interfaces from unauthorized access. Administrators who are unaware of this vulnerability, may allow remote access to administrative interfaces through the internet, introducing a significant weakness.
For example, consider a sales reporting application that provides an administrative interface. The administrative interface is accessible through HTTP and does not limit unsuccessful login attempts. If an attacker employs a brute force attack on the password field, it is only a matter of time until the proper administrator's password is found. Once compromised, the administrative interface allows unauthorized access to the application and may even lead to compromise of the entire network.
A compromised administrative interface can also be utilized to implant backdoors in the application or system, allowing an attacker to gain privileged access to the application even after the administrative interface vulnerability has been corrected.
Unauthorized Administrative Interface Access Prevention
|Solution||Blocks access to administrative interface?|
|Imperva Secure Sphere||YES|
|Intrusion Detection Systems||No|
|Intrusion Prevention Systems||No|
With this scenario, the attacker accesses unauthorized Web pages. Intrusion Detection and Prevention Systems which are not Web application oriented cannot tell which Web pages are authorized and which are not. These products regard all pages the same.
In order to be able to tell which pages are authorized, the product must gain the knowledge somehow. There are two ways for gaining that knowledge. You can either configure the product with the name of the allowed pages or the product can learn that automatically from the network traffic. Imperva SecureSphere supports both approaches. During learn mode the product learns which pages are allowed to be accessed from the Internet. You can also manually configure the product with that information. During protect mode the product will alert for any attempt to access unauthorized pages from the Internet.