And why you assumed the magic number would be in the source code? Maybe it is stored in .htpasswd.
Mr_Gibbons
@Mr_Gibbons
Best posts made by Mr_Gibbons
Latest posts made by Mr_Gibbons
-
RE: Obscure URL == key?
-
RE: Obscure URL == key?
If you have the source code, you have the key (though can still be argued), if you get a packet capture session or an admin's web history you get the key too, which is no different as if the number in the URL was replaced by a key passed in the URL :)
As I said, this discussion was purely academic :) -
RE: Obscure URL == key?
I have just learned that this forum software works in a very unconventional way.
-
Obscure URL == key?
Maybe it is too academic, but one might argue that obscure URL like url?admin=3310 is not security by obscurity.
If you have to guess the correct value by trying 3301, 3302, ..., how is it different to, say, bruteforcing a DES key?
It is also a key, just with a much smaller keyspace, hence URL with secret ID is not security by obscurity. Though, still doesn't change the fact that the whole scheme is piss poor.
OTOH, url/controlpanel.php?loggedin is security by obscurity.