Boss: "CEO of $customer wants $feature now activated. Talk to $being for the other side of the API."
Me: *Activates, finding bugs, fixing it, finally activates*
Me via mail to $being: "I seem to have the wrong API URL. Got a 404."
$being: "Do you have the auth headers enabled?"
Me: *checks, saw them being disabled, testing it, 404*
Me: "Still nothing." *Goes home, weekend*

I heard that the people before $being took over did some weird shit, including that they send a 404 when the key/secret pair is wrong. It seems to be a leftover. *shrugs*

  • 0
    Security through obscurity, though I never totally liked it as a developer
  • 0
    @asgs Is it tho? You could measure average response times when enumerating with, for example, dirbuster.
    And most likely you'd see the request being sent from burp or browser dev tools.
  • 0
    @impune-pl response times and 404? What's the relation?
  • 0
    @asgs only reason to return 404 as security measure i can think of is hiding it. But since the server has to check whether the request is valid, it takes more time to respond than it would for not endpoint that does not exist.
    Thats why if you check average response times for endpoint 'secured' this way, and endpoint that doesn't exist, you should be able to see a significant difference.
  • 0
    @impune-pl that's right but that means the unauthorised user has access to either the access logs or the key to return a valid response. And this security through obscurity doesn't apply to such users, which is why I don't fully like it. It is only meant to deter script kiddies or lame bots
Add Comment