Thinking about naming rules when architecture design or develop program.
A few years ago, when web hacking has been done, I have seen an irregular name given to prevent access to the web admin page by guessing.
It would have been over if set up an ACL.
Maybe they considered something more efficient at the time.
Anyway, as a hacker, it seems like it's easier to hack into them if there's a rule of regular hacking applied.
Naming rules are necessary for developers, but ... I think the IT Solutions or Android mobile hacking check items require obfuscation.
Is this possible on the web or db name?
Of course it will be more difficult to maintain or develop ...
If you apply the naming convention while hacking, you can find the manager page or analogy for key features. You may be able to make assumptions and use postings without the right to create or edit postings. In addition, if you are blocking a table (e.g., information_schema) for extracting the DB/Table/column list for SQL injection, you might be able to guess the table or column name and succeed. I'm more confident in organizing this post. Wouldn't it be easy to find the rest of the names known as referring to the Rainbow Table for password cracking or after finding the naming convention for a service name?
It occurred to me that sqlmap also has common-tables, common-columns. I think it's okay to keep a table like this for reference.
*reference URL : https://github.com/sqlmapproject/sqlmap/wiki/Usage
'Security' 카테고리의 다른 글
| Error trigger function note (0) | 2018.07.21 |
|---|---|
| Consideration on duplication parameters. (0) | 2018.07.20 |
| Consideration on security review (0) | 2018.07.18 |
| Latest jenkins Vulnerability Summary (0) | 2018.07.17 |
| Let’s learn for tunneling. (1) | 2018.07.16 |
