| In all the SaaS type applications I’ve ever developed, the privileged “Admin Panel” functionality is always on a private network accessible only via VPN access, which is authenticated via a password + private key. Then the Admin Panel itself has its own separate login, which is username + password. Ideally the private key for the VPN is a hardware token, but I will admit in most cases it’s simply a file on the drive. The Admin Panel has zero third party JavaScript nor client-side analytics. I’m not sure this buys quite as much security as it might appear, because there’s probably any number of ways to piggyback on a valid session. For example, there was a bug bounty Tesla paid out when a researcher was able to establish XSS by mangling their car name, which was read via the API and showed up in an internal dashboard as unescaped HTML. So I think the biggest attack surface for Admin Panels remains a hostile client seeding XSS into unescaped fields, and CSP helps a great deal with this, but at the very least I don’t see any reason why these panels should be on a public URL. You can say, well, they should have MFA on the panel, but I can’t shake the feeling that these simple measures avoid a huge number of attackers looking for low-hanging fruit. It’s like putting SSH on a non-standard port. It’s theoretically meaningless but practically it’s a huge improvement, if only because it helps attack signals stand out against the script kiddie noise. |
At which level the interface between admin panel and apps is? Is it a dedicated app for the admin panel and just a front end to an AD or database? Like there is no real admin panel on the app itself.