Two Pakistani federal government websites expose their administrative login panels directly to the internet during an active military conflict — with no Web Application Firewall, no IP restriction, no rate limiting, and no CAPTCHA.
Both panels are directly accessible from the internet with no protective measures. During wartime, when most government infrastructure is offline, these endpoints remain exposed — suggesting they were either forgotten in the defensive shutdown or deemed non-critical.
Target 1: FSP.GOV.PK — Food Security Portal
| Field | Value |
|---|---|
| URL | https://fsp.gov.pk/AdminLogin |
| Title | "Admin Dashboard - Login" |
| Server | Apache |
| Page Size | 4,480 bytes |
| Auth Method | POST form (username + password) |
| HTTPS | Yes |
| WAF | NONE |
| CAPTCHA | NONE |
| Rate Limiting | NOT OBSERVED |
Behavior Analysis
The main site (fsp.gov.pk) exhibits soft-404 behavior — most paths return HTTP 200 with a 428-byte response. /AdminLogin is a distinct real page (4,480 bytes) with a functioning login form. This confirms the admin panel is intentionally deployed at this path but unprotected from public access.
Ministry Context
The Ministry of National Food Security & Research oversees:
- Agriculture policy and food supply chains
- Crop production data and national forecasting
- Food import/export regulation
- Seed certification and fertilizer distribution
- Animal husbandry and fisheries
Compromise of this admin panel could expose national food supply chain data and policy decisions.
Target 2: EP.GOV.PK — Pakistan Post EMTTS
| Field | Value |
|---|---|
| URL | https://ep.gov.pk/hq/locationissue.asp |
| Title | "Admin Login" |
| Server | Microsoft-IIS/10.0 |
| Powered By | ASP.NET |
| Page Size | 17,340 bytes |
| Auth Method | POST form (username + password) |
| HTTPS | Yes |
| WAF | NONE |
Additional Endpoints Discovered
| Path | Status | Size | Description |
|---|---|---|---|
| / | 200 | 21,871 bytes | EMTTS Homepage |
| /hq/ | 200 | 6,241 bytes | "header1" — partial admin interface |
| /hq/locationissue.asp | 200 | 17,340 bytes | Admin Login |
| /track/ | 200 | 583 bytes | Tracking endpoint |
| /trace.axd | 403 | — | ASP.NET tracing ENABLED (403, not 404) |
| /aspnet_client/ | 403 | — | Client-side script directory exists |
/trace.axd returns 403 "Trace Error" rather than 404. This indicates ASP.NET request tracing is enabled on the server. A misconfiguration or bypass could expose full request/response data including authentication tokens.
Pakistan Post Context
Pakistan Post operates Express Mail Service (EMS), track and trace systems for domestic/international parcels, money order services, and HQ administrative operations. The admin panel at /hq/locationissue.asp manages HQ-level operations including location/branch management.
University Admin Panels (Additional)
| URL | Size | Description | Auth Required |
|---|---|---|---|
| qau.edu.pk/admin/ | 94 KB | "Administration Section — QAU" | NONE |
| pu.edu.pk/admin/ | 82 KB | University administrative section | NONE (HTTP 200) |
Attack Vectors
| Attack Type | FSP | EP (Pakistan Post) | Risk |
|---|---|---|---|
| Brute Force | Possible (no CAPTCHA) | Possible | HIGH |
| Credential Stuffing | Possible | Possible | HIGH |
| Password Spraying | Possible | Possible | HIGH |
| SQL Injection (login form) | Untested | Untested | MEDIUM |
| ASP.NET Trace Enumeration | N/A | Possible (/trace.axd) | MEDIUM |
| ViewState Deserialization | N/A | Possible (ASP.NET) | MEDIUM |