Administrator’s interfaces may be present in the application and on the application servers to allow few users to start privileged activities on the site. Tests should be start work to reveal if or how this privileged functionality that can be accessed through an un-authorized and standard user.
Applications may need an administrator interface to enables a privileged user to access functionality that may develop changes to, how the site functions? Such changes may involve:
1. User account purveying
2. Site design or layout
3. Data fetch
4. Configuration changes
Admin Interface completes any of the following tasks:
1. Create or configure groups.
2. Handle basic software configurations.
3. Create or manage new forest.
4. Create or manage databases.
5. Backup or restore forest content.
6. Create & manage security configurations.
7. Configure namespaces & schemas.
8. Tune system execution.
9. Check the status of resources on your systems.
Accessing Admin Interface:
Only authorized administrator can log in the Admin Interface. An authorized administrator is a user who has the play admin role. Official administrators have the access to all administrative actions in Mark Logic Server; therefore official administrators are trusted on personnel & are assumed to be no hostile, appropriately trained, or follow proper administrative mechanics.
How to Test:
Gray Box Testing:
More detailed examinations of the server or application components should be undertaken to ensure hardening or where applicable, verification that each constituents do not use default credentials and configurations.
Source codes should be re-viewed to ensure that the authorization or authentication model insures clear separation of responsibilities between normal users & site administrators.
Users interface functions shared between normal & administrator users should be re-viewed to insure clear separation between the drawing of such elements & information drip from the shared functionality.
Black Box Testing:
The following sections describe vectors that may be used to test for the impendence of administrative interfaces.
1. There are several tools available to perform beast forcing of server contents.
2. Comments or links in source code. Many web sites use common code i.e. loaded for every site users.
3. Directory & file enumeration. An administrative interface may be current but not visibly existent to the tester.
4. Publicly available data. Many of applications such as word press have default admin interfaces.
5. A GET & POST parameter and a cookie variable may be expected to enables the administrator’s functionality.