{"type_of":"article","id":95907,"title":"What Security Through Obscurity Is, and Why It's Evil","description":"... and how you might be doing it.","readable_publish_date":"Mar 31 '19","slug":"what-security-through-obscurity-is-and-why-it-s-evil-47d5","path":"/ctrlshifti/what-security-through-obscurity-is-and-why-it-s-evil-47d5","url":"https://dev.to/ctrlshifti/what-security-through-obscurity-is-and-why-it-s-evil-47d5","comments_count":15,"public_reactions_count":128,"collection_id":null,"published_timestamp":"2019-03-31T07:17:08Z","language":null,"subforem_id":null,"positive_reactions_count":128,"cover_image":"https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fwww.explainhownow.com%2Fassets%2Fimages%2Fsecurity_through_obscurity_cover.png","social_image":"https://media2.dev.to/dynamic/image/width=1000,height=500,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fwww.explainhownow.com%2Fassets%2Fimages%2Fsecurity_through_obscurity_cover.png","canonical_url":"https://www.explainhownow.com/2019/security-through-obscurity/","created_at":"2019-03-31T07:17:08Z","edited_at":"2019-03-31T07:47:27Z","crossposted_at":null,"published_at":"2019-03-31T07:17:08Z","last_comment_at":"2019-04-08T01:32:32Z","reading_time_minutes":5,"tag_list":"security, beginners, webappsecurity, webdev","tags":["security","beginners","webappsecurity","webdev"],"body_html":"\u003cp\u003eThis article is an explanation of what security through obscurity is, why it's terrible if it's your only defense, and some ways in which you might be using it in your webapps. If you do pentesting, this will give you some tips on where to look in webapps to find examples of poor security you can exploit.\u003cbr\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n\u003cem\u003eTarget audience:\u003c/em\u003e\n\n\u003cul\u003e\n\u003cli\u003e\u003cem\u003eWebapp developer, or\u003c/em\u003e\u003c/li\u003e\n\u003cli\u003e\n\u003cem\u003eBeginner pentester\u003c/em\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cbr\u003e\n\n\n\u003ch3\u003eWhat is Security Through Obscurity?\u003c/h3\u003e\n\n\u003cp\u003eSecurity through obscurity is the reliance on secrecy and confusing attackers instead of building proper controls to keep them out.\u003c/p\u003e\n\n\u003cp\u003eLet's take a real-world example.\u003c/p\u003e\n\n\u003cp\u003eSay you're a teenager again, and you've got a particular folder of files that you'd rather your parents don't find. You know the kind.\u003c/p\u003e\n\n\u003cp\u003eYou probably hid this folder behind a whole bunch of other folders and named it something boring. And you might have felt very confident knowing that there's no reason your parents would ever look in the \"homework\" directory. \u003c/p\u003e\n\n\u003cp\u003eThis would be security through obscurity. It might work for a while, but the moment anyone checks the \"Frequent Files\" section of Windows Explorer, your secret's out. A much better bet would have been to password protect your files.\u003c/p\u003e\n\n\u003cp\u003eIn computing, security through obscurity is used more commonly than you'd expect. Here are some of the most harmful examples of security through obscurity I've seen. \u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eReliance on Robots.txt\u003c/h3\u003e\n\n\u003cp\u003eRobots.txt is a file located at the root of your domain, e.g., \u003ccode\u003emywebsite.com/robots.txt\u003c/code\u003e. Robots.txt is used to tell search engines such as Google not to crawl certain sections of your website. A robots.txt might look something like this:\u003cbr\u003e\n\u003c/p\u003e\n\n\u003cdiv class=\"highlight js-code-highlight\"\u003e\n\u003cpre class=\"highlight plaintext\"\u003e\u003ccode\u003eUser-agent: *\nDisallow: /super-secret-passwords/\nDisallow: /secret-admin-access-panel/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"highlight__panel js-actions-panel\"\u003e\n\u003cdiv class=\"highlight__panel-action js-fullscreen-code-action\"\u003e\n    \u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" class=\"highlight-action crayons-icon highlight-action--fullscreen-on\"\u003e\u003ctitle\u003eEnter fullscreen mode\u003c/title\u003e\n    \u003cpath d=\"M16 3h6v6h-2V5h-4V3zM2 3h6v2H4v4H2V3zm18 16v-4h2v6h-6v-2h4zM4 19h4v2H2v-6h2v4z\"\u003e\u003c/path\u003e\n\u003c/svg\u003e\n\n    \u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" class=\"highlight-action crayons-icon highlight-action--fullscreen-off\"\u003e\u003ctitle\u003eExit fullscreen mode\u003c/title\u003e\n    \u003cpath d=\"M18 7h4v2h-6V3h2v4zM8 9H2V7h4V3h2v6zm10 8v4h-2v-6h6v2h-4zM8 15v6H6v-4H2v-2h6z\"\u003e\u003c/path\u003e\n\u003c/svg\u003e\n\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\n\n\n\u003cp\u003eAll this does is prevent Google from crawling those pages! It doesn't ward away hackers. Checking for a robots.txt file is one of the first things a malicious person might do - and where do you think they're going next when they see you've told Google not to crawl \"super-secret-passwords/\"?\u003c/p\u003e\n\n\u003cp\u003eInstead, if you want a page to not show up in results, add a \u003ca href=\"https://support.google.com/webmasters/answer/93710?hl=en\" target=\"_blank\" rel=\"noopener noreferrer\"\u003enoindex metatag\u003c/a\u003e to the page. Better yet, if anyone other than you shouldn't see a page, make sure it's behind a secure login page. Also consider IP-restricting it if you don't move around too much.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eHiding Common Wordpress Files\u003c/h3\u003e\n\n\u003cp\u003eSome Wordpress websites try to conceal the fact that they're running Wordpress. Common ways of doing this include removing Wordpress' \u003cem\u003ereadme.html\u003c/em\u003e file and renaming folders such as \u003cem\u003ewp-admin\u003c/em\u003e.\u003c/p\u003e\n\n\u003cp\u003eWhile these might deter a novice attacker, any hacker worth their internet connection will be able to figure out that you're running Wordpress by checking your CSS. \u003c/p\u003e\n\n\u003cp\u003eThe alternative? Honestly, don't bother too much. Hiding the fact that you're using Wordpress isn't as important as just keeping your Wordpress and plugins updated. If you have a Wordpress website, try running \u003ca href=\"https://github.com/wpscanteam/wpscan\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ewpscan\u003c/a\u003e on it to see if there are any glaring vulnerabilities you should fix.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eHiding Insecure Code in Subdomains\u003c/h3\u003e\n\n\u003cp\u003eSay there's a part of your website that you want to hide - maybe some insecure code that you still need to test, or some admin controls. One of the ways you might do this is stowing it away in a subdomain.\u003c/p\u003e\n\n\u003cp\u003eThis is fine, as long as it \u003cem\u003eisn't your only method of security\u003c/em\u003e. If the subdomain requires a secure login and is IP-restricted, you're a-okay. But just putting your insecure code behind a random subdomain with no other controls is a terrible idea. \u003ca href=\"https://www.explainhownow.com/2019/how-to-find-subdomains/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eI explain why in this post\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eRolling Your Own Crypto\u003c/h3\u003e\n\n\u003cp\u003eSurely, \u003ca href=\"https://www.google.com/search?client=firefox-b-d\u0026amp;q=lindy+effect\" target=\"_blank\" rel=\"noopener noreferrer\"\u003egiven how long all those other hashing algorithms have been around for\u003c/a\u003e, they must be insecure by now, right? Maybe it's better to make your own.\u003c/p\u003e\n\n\u003cp\u003eNo.\u003c/p\u003e\n\n\u003cp\u003eNo, no no no.\u003c/p\u003e\n\n\u003cp\u003eNo no no.\u003cbr\u003e\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\n\u003ca href=\"https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.explainhownow.com%2Fassets%2Fimages%2Frolling_crypto.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.explainhownow.com%2Fassets%2Fimages%2Frolling_crypto.png\" alt=\"rolling your own crypto image\" loading=\"lazy\"\u003e\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003eUnless you SERIOUSLY know what you're doing, don't try to make your own encryption or hashing algorithm. The current popular algorithms have been properly vetted by the security community and are \u003cem\u003emuch\u003c/em\u003e more secure than anything you could make on your own. If you make your own algorithm, it's likely to contain serious mistakes that you might be overlooking. Please, just don't.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eRelying on Obscure Database Names\u003c/h3\u003e\n\n\u003cp\u003eSure, maybe renaming your \"User\" SQL database column to something more esoteric will make it a little bit harder for attackers to perform \u003ca href=\"https://www.incapsula.com/web-application-security/sql-injection.html\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSQLi\u003c/a\u003e. But if SQLi is possible on your site, \u003cem\u003efixing the vulnerability\u003c/em\u003e should be your main concern. \u003c/p\u003e\n\n\u003cp\u003eIf you're not sure whether or not your site is vulnerable to SQLi, check out \u003ca href=\"https://github.com/sqlmapproject/sqlmap\" target=\"_blank\" rel=\"noopener noreferrer\"\u003esqlmap\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eSecret Parameters\u003c/h3\u003e\n\n\u003cp\u003eThis is one of my favorites because of how often \u003ca href=\"https://www.youtube.com/watch?v=8ev9ZX9J45A\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCTFs\u003c/a\u003e use it, but it also occurs in the real world.\u003c/p\u003e\n\n\u003cp\u003eSay you've got \u003ccode\u003ehttp://mywebsite.com/normalpage\u003c/code\u003e, but when you navigate to \u003ccode\u003ehttp://mywebsite.com/normalpage?admin=true\u003c/code\u003e, admin access is enabled. \u003c/p\u003e\n\n\u003cp\u003eAn average user might not try to add the admin parameter, but any half-decent hacker with a fuzzing tool will find it in minutes. Using secret parameters to control access to hidden content is a bad idea.\u003c/p\u003e\n\n\u003cp\u003eOf course, \"admin\" isn't such a secret word. What if the control parameter was instead something like \u003ccode\u003ehttp://mywebsite.com/normalpage?230j7x9832nnc=true\u003c/code\u003e?\u003c/p\u003e\n\n\u003cp\u003eNow it's pretty much the same as having a password, right? Nope. The main issue you're facing now is that if your page links to anywhere else, your secret parameter has a chance of showing up as a \u003cem\u003eReferer\u003c/em\u003e heading, which wouldn't have been an issue if you had just implemented a standard login panel.\u003c/p\u003e\n\n\u003cp\u003eIf you \u003cem\u003emust\u003c/em\u003e do this, for whatever reason, maybe instead consider moving the parameter to be in the body of a POST request instead.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003ch3\u003eAn Aside\u003c/h3\u003e\n\n\u003cp\u003eOf course, obscurity certainly has its place in webapp design. It's perfectly reasonable to put sensitive code on a subdomain or remove references to your backend. The key consideration is that this should \u003cem\u003enot\u003c/em\u003e be your only line of defense.\u003c/p\u003e\n\n\u003cp\u003eYou can ensure you're using obscurity appropriately by also implementing standard access controls, and just generally following best security practices. Remember: if the only thing between you and the hacker is obscurity, then the only thing between the hacker and you is time.\u003c/p\u003e\n\n\u003cp\u003eIf you're interested in upping your security skills, check out my other post on \u003ca href=\"https://www.explainhownow.com/2019/learn-penetration-testing/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehow to get into penetration testing\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eHappy hacking!\u003c/p\u003e\n\n\u003cp\u003e\u003cem\u003eThis post was originally published on \u003ca href=\"https://www.explainhownow.com/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eexplainhownow.com\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\n","body_markdown":"---\r\ntitle: What Security Through Obscurity Is, and Why It's Evil\r\npublished: true\r\ndescription: ... and how you might be doing it.\r\ntags: security, beginners, webappsecurity, webdev\r\ncanonical_url: https://www.explainhownow.com/2019/security-through-obscurity/\r\ncover_image: https://www.explainhownow.com/assets/images/security_through_obscurity_cover.png\r\n---\r\n\r\nThis article is an explanation of what security through obscurity is, why it's terrible if it's your only defense, and some ways in which you might be using it in your webapps. If you do pentesting, this will give you some tips on where to look in webapps to find examples of poor security you can exploit.\r\n\u003cdiv\u003e\r\n_Target audience:_\r\n* _Webapp developer, or_\r\n* _Beginner pentester_\r\n\u003c/div\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eWhat is Security Through Obscurity?\u003c/h3\u003e\r\n\r\nSecurity through obscurity is the reliance on secrecy and confusing attackers instead of building proper controls to keep them out.\r\n\r\nLet's take a real-world example.\r\n\r\nSay you're a teenager again, and you've got a particular folder of files that you'd rather your parents don't find. You know the kind.\r\n\r\nYou probably hid this folder behind a whole bunch of other folders and named it something boring. And you might have felt very confident knowing that there's no reason your parents would ever look in the \"homework\" directory. \r\n\r\nThis would be security through obscurity. It might work for a while, but the moment anyone checks the \"Frequent Files\" section of Windows Explorer, your secret's out. A much better bet would have been to password protect your files.\r\n\r\nIn computing, security through obscurity is used more commonly than you'd expect. Here are some of the most harmful examples of security through obscurity I've seen. \u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eReliance on Robots.txt\u003c/h3\u003e\r\nRobots.txt is a file located at the root of your domain, e.g., `mywebsite.com/robots.txt`. Robots.txt is used to tell search engines such as Google not to crawl certain sections of your website. A robots.txt might look something like this:\r\n\r\n```\r\nUser-agent: *\r\nDisallow: /super-secret-passwords/\r\nDisallow: /secret-admin-access-panel/\r\n```\r\n\r\nAll this does is prevent Google from crawling those pages! It doesn't ward away hackers. Checking for a robots.txt file is one of the first things a malicious person might do - and where do you think they're going next when they see you've told Google not to crawl \"super-secret-passwords/\"?\r\n\r\nInstead, if you want a page to not show up in results, add a [noindex metatag](https://support.google.com/webmasters/answer/93710?hl=en) to the page. Better yet, if anyone other than you shouldn't see a page, make sure it's behind a secure login page. Also consider IP-restricting it if you don't move around too much.\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eHiding Common Wordpress Files\u003c/h3\u003e\r\nSome Wordpress websites try to conceal the fact that they're running Wordpress. Common ways of doing this include removing Wordpress' _readme.html_ file and renaming folders such as _wp-admin_.\r\n\r\nWhile these might deter a novice attacker, any hacker worth their internet connection will be able to figure out that you're running Wordpress by checking your CSS. \r\n\r\nThe alternative? Honestly, don't bother too much. Hiding the fact that you're using Wordpress isn't as important as just keeping your Wordpress and plugins updated. If you have a Wordpress website, try running [wpscan](https://github.com/wpscanteam/wpscan) on it to see if there are any glaring vulnerabilities you should fix.\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eHiding Insecure Code in Subdomains\u003c/h3\u003e\r\nSay there's a part of your website that you want to hide - maybe some insecure code that you still need to test, or some admin controls. One of the ways you might do this is stowing it away in a subdomain.\r\n\r\nThis is fine, as long as it _isn't your only method of security_. If the subdomain requires a secure login and is IP-restricted, you're a-okay. But just putting your insecure code behind a random subdomain with no other controls is a terrible idea. [I explain why in this post](https://www.explainhownow.com/2019/how-to-find-subdomains/).\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eRolling Your Own Crypto\u003c/h3\u003e\r\nSurely, [given how long all those other hashing algorithms have been around for](https://www.google.com/search?client=firefox-b-d\u0026q=lindy+effect), they must be insecure by now, right? Maybe it's better to make your own.\r\n\r\nNo.\r\n\r\nNo, no no no.\r\n\r\nNo no no.\r\n\u003cbr\u003e\u003cbr\u003e\r\n![rolling your own crypto image](https://www.explainhownow.com/assets/images/rolling_crypto.png)\u003cbr\u003e\r\n\r\nUnless you SERIOUSLY know what you're doing, don't try to make your own encryption or hashing algorithm. The current popular algorithms have been properly vetted by the security community and are _much_ more secure than anything you could make on your own. If you make your own algorithm, it's likely to contain serious mistakes that you might be overlooking. Please, just don't.\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eRelying on Obscure Database Names\u003c/h3\u003e\r\nSure, maybe renaming your \"User\" SQL database column to something more esoteric will make it a little bit harder for attackers to perform [SQLi](https://www.incapsula.com/web-application-security/sql-injection.html). But if SQLi is possible on your site, _fixing the vulnerability_ should be your main concern. \r\n\r\nIf you're not sure whether or not your site is vulnerable to SQLi, check out [sqlmap](https://github.com/sqlmapproject/sqlmap).\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eSecret Parameters\u003c/h3\u003e\r\nThis is one of my favorites because of how often [CTFs](https://www.youtube.com/watch?v=8ev9ZX9J45A) use it, but it also occurs in the real world.\r\n\r\nSay you've got `http://mywebsite.com/normalpage`, but when you navigate to `http://mywebsite.com/normalpage?admin=true`, admin access is enabled. \r\n\r\nAn average user might not try to add the admin parameter, but any half-decent hacker with a fuzzing tool will find it in minutes. Using secret parameters to control access to hidden content is a bad idea.\r\n\r\nOf course, \"admin\" isn't such a secret word. What if the control parameter was instead something like `http://mywebsite.com/normalpage?230j7x9832nnc=true`?\r\n\r\nNow it's pretty much the same as having a password, right? Nope. The main issue you're facing now is that if your page links to anywhere else, your secret parameter has a chance of showing up as a _Referer_ heading, which wouldn't have been an issue if you had just implemented a standard login panel.\r\n\r\nIf you _must_ do this, for whatever reason, maybe instead consider moving the parameter to be in the body of a POST request instead.\u003cbr\u003e\u003cbr\u003e\r\n\r\n\u003ch3\u003eAn Aside\u003c/h3\u003e\r\nOf course, obscurity certainly has its place in webapp design. It's perfectly reasonable to put sensitive code on a subdomain or remove references to your backend. The key consideration is that this should _not_ be your only line of defense.\r\n\r\nYou can ensure you're using obscurity appropriately by also implementing standard access controls, and just generally following best security practices. Remember: if the only thing between you and the hacker is obscurity, then the only thing between the hacker and you is time.\r\n\r\nIf you're interested in upping your security skills, check out my other post on [how to get into penetration testing](https://www.explainhownow.com/2019/learn-penetration-testing/).\r\n\r\nHappy hacking!\r\n\r\n\r\n_This post was originally published on [explainhownow.com](https://www.explainhownow.com/)_","user":{"name":"Kat Maddox","username":"ctrlshifti","twitter_username":"ctrlshifti","github_username":null,"user_id":143888,"website_url":"https://www.codemopolitan.com","profile_image":"https://media2.dev.to/dynamic/image/width=640,height=640,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F143888%2Fd0e058df-a9ea-4518-871c-c6ebced55159.jpg","profile_image_90":"https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F143888%2Fd0e058df-a9ea-4518-871c-c6ebced55159.jpg"}}