My Encounter with an Admin Panel in a Gas Agency Website

Hello, everyone! My name is Parth Rana , a core CS Student and I’m excited to share my very first blog post on Medium. As a newbie in the field of cybersecurity, I’m constantly exploring and learning about the web security.

I've always been curious about seeing an admin panel of a company, but I never expected to stumble upon the panel of a government website.😁

It all started on a summer afternoon after my exams ended. so i was browsing local websites in order to get some juicy info. we all are familiar with the gas connections at our home , so in curiosity i googled about the gas agency website and started hunting on them and started discovering for gas agencies of different states.

Note

Please note that the actual names of the website and location have been changed to “redacted” for privacy reasons. This ensures the security and confidentiality of all parties involved.

Site1: redactedgas.co.in

Site2: redactedgas.org

Site1

As a newbie, I often search for directory listing vulnerabilities on websites nowadays. So, first, I explored the images on the website and then opened the image in a new tab.

Then at first the url was: https://redactedgas.co.in/assets/images/bill.jpg

Then in order to check vuln. removed the named bill.jpg https://redactedgas.co.in/assets/images/

Boom!!!

Then i think that why not give a try to add : https://redactedgas.co.in/admin/

👀 By diving more into curiosity I clicked Home only to stumble upon the Admin Page, laid bare and unguarded, like an undiscovered treasure awaiting its explorer.

The moment of truth!!!

At this point i was able to view information that was not allowed to a normal user.

From Consumer Number i was able to view following information: Name, Mobile,E-mail id, OTP.

Now at this point i decided to not to go further💀 and report it to officials.

Site2

The same approach goes for second site. tested directory listing vulnerability and it leads to information disclousure.

https://redactedgas.org/

As someone new to cybersecurity, this incident underscored the need for vigilance and proper security measures in the digital era.

After days of waiting anxiously, they finally addressed the bug. However, instead of fixing it, they opted to delete the entire page🙄

I know these were very basic bugs, but as a beginner these meant a lot for me as they were my first bugs.

Thank you for reading, and I look forward to sharing more of my cybersecurity journey with you.

LinkedIn: https://www.linkedin.com/in/parth-rana-52644826b/