Page 205 - Hands-On Bug Hunting for Penetration Testers
P. 205
Other (Out of Scope) Vulnerabilities Chapter 12
Non-Critical Data Leaks ` What Companies
Donct Care About
In $IBQUFS , Access Control and Security Through Obscurity, as part of our discussion about
access control, security by obscurity, and data leakage, we briefly covered different types of
data that companies weren't interested in rewarding: usernames, descriptive-but-not-
sensitive error messages, different kinds of error codes, and so on.
Here are some other, specific examples about information that security researchers often
report, but that companies very rarely pay for.
Emails
Emails are an item of information many people try to deny to bots and automated agents
crawling their site. One typical strategy is encoding email links as HTML entities to make
them harder to collect. That means you can hide an email such
as OFTTVT!HFOFSBMQSPEVDUT CJ[ as the following entity code:
OFTTVT!HFOFSBMQSPEVDUT CJ[
Unless the crawler is expecting to detect and decode entities as part of its scraping process,
this little obfuscation trick can be surprisingly effective.
But if an email is exposed on a company site, it's usually meant to be a public-facing handle.
Submitting a bug report about TVQQPSU!DPNQBOZ DPN or even because you've deduced
the employee email naming convention is something like
MBTUOBNF GJSTUOBNF!DPNQBOZ DPN doesn't meet the standard for a payout.
There are too many extra steps beyond simply enumerating a company's email username
registry before the disclosure becomes a vulnerability.
HTTP Request Banners
HTTP banners are an integral part of the protocol that stitches the entire web together. On
common services, that might be privy to many different types of devices. They can include
encoding data, device information, general information about the nature of the HTTP
request, and other data.
[ 190 ]
