Page 144 - Hands-On Bug Hunting for Penetration Testers
P. 144
8 8
Access Control and Security
Through Obscurity
Security through (or by) obscurity is a strategy in web application development that
assumes a hacker can't hack what he can't see; even if a vulnerability exists, as long as it's
appropriately hidden or obfuscated, it'll never be discovered and used for malicious
purposes.
While this can feel true (how could someone find this thing I've cleverly hiddenbI've
cleverly hidden it), it ignores a basic understanding of computers and programming.
Computers are great at finding needles in haystacks. And it's not just one person
programming one script on one machine who's interested in probing your site for
vulnerabilities; any site exposed to the internet faces a crowd-sourced attempt to
compromise its network. When you assume that no one will find your hidden exploit,
you're actually assuming no one, among the many people targeting you (directly or
indirectly), over the course of your site's lifetime, with the resources of the entire internet,
will be successful. It's a dangerous bet to make.
In this chapter, we'll be demonstrating the use of various tools to find hidden content, and
discussing the differences between what merits a payout and what doesn't: There's so much
data flooding every corner of the web, it's important to have an understanding about what
programs value. We'll also cover the shortcomings of the security mindset that can make
data leakage such a critical vulnerability for so many sites. Of course, we'll also take an
example of data leakage through the full life cycle of the bug bounty process, from
discovery, to validation, to submission.
Technical Requirements
For this chapter, we'll be using Burp Suite and its hidden content features, as well as
Chrome ( ). We'll also be using WebGoat, an intentionally vulnerable app
created by OWASP that you can download and practice against.
