Access Control and Security Through Obscurity                               Chapter 8

            Committing sensitive credentials to a public GitHub/Bitbucket repo has become so common
            that blogs such as A Very Expensive AWS Mistake have become their own content niche
            (IUUQT   NFEJVN DPN !NPSHBOOFHBHOF B WFSZ FYQFOTJWF BXT NJTUBLF   B    FE BE).
            In that particular blog post, a developer working through the Flatiron development
            bootcamp commits her AWS IAM credentials to GitHub and only discovers her error when
            she starts exceeding her free-tier limits, finally seeing the $3,000+ bill she's racked up in the
            short time her creds have been exposed.
            The practice has even spawned a variety of SaaS businesses designed to scan your public
            source code and notify you if you've included any sensitive information. Businesses such as
            GitGuardian (IUUQT   XXX HJUHVBSEJBO DPN UXFFU) and GitMonkey (IUUQT   HJUNPOLFZ
            JP ) are designed to provide a notification safety net if a tired or junior developer
            mistakenly versions credentials.


            Client Source Code


            Client source codebthe static JavaScript, HTML, and CSS executed in your browserbis
            different from the entire source code repo represented by an entire Git project. You're less
            likely to find a config file with application-level secrets and the scope of the business logic
            exposed will probably be minimal (even an all-JavaScript, Angular, or React app will
            feature most logic in a connected API) but there are still opportunities to harvest weak
            cookies, GVU[ with client-side validations, and look for old settings, resources, and
            functionality in commented-out code.



            Hidden Fields

            Hidden fields are technically a part of the client code, but merit extra consideration as a
            prime vector for malicious data input. It's important if you're messing with hidden fields to
            avoid submitting values for honeypot fields. Honeypot fields are hidden JOQVU tags that,
            since a a normal GUI user can't see them, usually don't get don't get submittedbunless that
            form is being fuzzed by a script that's injecting values into every available JOQVU field it
            can.













                                                    [ 135 ]