Page 157 - Hands-On Bug Hunting for Penetration Testers
P. 157
Access Control and Security Through Obscurity Chapter 8
Instructions to reproduce: Simple enough. Navigate to the affected page and
look at its source.
Attack scenario: For our attack scenario, it's important to prove the danger the
data poses in the wrong hands. In this case, it's clear. Exposing sensitive financial
information along with his SSN puts the CEO at a clear risk of cyberattack and
identity theft.
Final Report
Let's use this information to format our submission:
Category: Data leak of sensitive employee data.
Time: 2017-03-25 17:27 (17:27) UTC.
URL: IUUQ MPDBMIPTU 8FC(PBU TUBSU NWD MFTTPO $MJFOU4JEF'
JMUFSJOH MFTTPO
Methodology: Vulnerability detected after inspecting the source code of the
affected page.
Instructions to procedure:
1. Navigate to the affected URL
2. Inspect the page's source code
Attack scenario: With access to the CEO and other privileged employees'
personal information, an attacker could steal those individuals' identities, engage
in spear-phishing campaigns to compromise company resources, and generally
wreck havoc with the financial health of both the company and its employees.
Summary
In this chapter, you've learned about the deficiency (and sometimes validity) of security by
obscurity as a philosophy, how to unmask a site's hidden content with Burp and other
tools, how to distinguish between different types of sensitive information, a rough guide to
information that doesn't merit a bounty payout, and taking a data leak vulnerability from
discovery to report formatting and submission. You should now feel prepared to
incorporate at least basic hidden content discovery methods into your pentesting regimen.
[ 142 ]
