Testing the Security of Your Website – Part 2

Security Through Obscurity

“Security through obscurity” is when someone, instead of creating proper security measures, simply relies on the design of the system, which is complicated (or so they think) to be guessed. The problem with security through obscurity is that you may think you are protected, when in reality you are not.

A script that handles a form posted on a website allowing hackers to remotely configure the destination email address through a not documented variable is an example of security through obscurity. In this case, the developer trusts that only because the name of the variable is not written on the HTML code, no one will be able to guess it.

A good example of security through obscurity would be moving the control panel of your website to a directory with a very unusual name and not use any login system on it, relying that since the name of the directory is too hard to guess, nobody will ever be able to locate and enter your control panel. The problem, once again, is to feel safe when in fact you are not.

You should analyze your website to see if this concept was used. Think like this: “is there any part of my website that could be easily exploited if someone guesses the right name (a directory, the name of a variable etcetera)?”