Insecurity by Leak
But whilst security by obscurity is an exercise in self-delusion, the reverse is not the case. Unintended information discosure can be of real value to an attacker, and can make your system unnecessarily vulnerable. Ryan Barnett in his book Preventing Web Attacks with Apache describes an exercise in gaining unauthorised access to a "buggy bank" system. The very first step in his attack is to find information about the system he is attacking, using a comment in the "HTML" generated:
</BODY><!-- The source code for the old sign-on CGI is at /backup/login.cgi.bak --><img
(ouch! That line alone should tell the knowledgeable user that
buggybank is utterly incompetent, never mind the comment!).
Having seen that line, he downloads the script and finds exploitable bugs in it. When he tries the exploits, some of them are still there.
