Access Control and Security Through Obscurity                               Chapter 8

            Error Messages

            Just like we covered in $IBQUFS  , SQL, Code Injection, and Scanners, where we discussed the
            error-based SQL injection attack and how a determined attacker can often use public error
            messages propagated up from the SQL DB to enumerate information, error messages can
            leak data in other contexts. In application error logs, GUI error messages, API errors, and
            other error vectors, everything from machine-level RSA keys to user info can be exposed.


            Unmasking Hidden Content ` How to Pull

            the Curtains Back


            Exploring obfuscated, neglected, or otherwise exposed data is a critical exercise, both as
            part of a site's opening reconnaissance and as a dedicated end in itself.
            We'll cover a couple of different ways, some passive and some more active, that will help
            you discover sensitive information that will win you a bounty payout.


            Preliminary Code Analysis


            It's a simple step, but walking through the page's source and being able to get a sense of the
            code style and quality, framework, any extra connected services, and just a general feel for
            the code base powering the app is essential, and can lead to surprising finds.


            Using Burp to Uncover Hidden Fields

            There are two ways to use Burp to discover hidden input fields: one is easy, the other
            absurdly easy.

            The first way is to examine any HTTP traffic generated by forms to ensure you catch any
            information being passed that wasn't available in the GUI.

            The other (easier) way is a simple configuration setting in the Options pane within the
            Proxy tab:









                                                    [ 136 ]