Admin Panel Takeover Using a Leaky JS File

1 month ago 23
BOOK THIS SPACE FOR AD
ARTICLE AD

Raunak Gupta Aka Biscuit

Free Article Link: Here!!!

While exploring the site’s front end, I decided to check the “JS files” (Pro tip: always check them, they sometimes reveal hidden information!). One file immediately caught my eye , a strangely named file like admin.js. Curious, I opened it, and sure enough, I found hardcoded credentials and the admin login path right there. It felt like an early Christmas gift.

The Takeover

it was time to check if the admin panel was actually accessible. Enter the URL: /admin/dashboard(or something equally predictable). Boom. The panel greeted me like an old friend, no MFA, no CAPTCHA, just wide open for business.

I logged in with the hardcoded credentials, expecting some resistance, but nah, the admin panel welcomed me without any drama. From there, I could basically do whatever an admin could, like modify user data, change site settings, and potentially cause havoc (don’t worry, I didn’t).

Read Entire Article