• BrianTheeBiscuiteer@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    Programmers have the source code right in front of them, hackers usually don’t. It’s quite amazing what they can do taking shots in the dark.

    • anti-idpol action@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      depends. Desktop code, sure, reverse engineering from assembly takes some time but some good dissasemblers might be able to produce some C skeleton to start from. Though you might get lucky just exploiting the supply chain of bloated open source with a hellton of vulnerabilities deps/infra like glibc, apache or sudo.

      But web code? Sure, minifiers exist but not every website uses them and even if their do, thanks to all the new stuff since ES5 you can for example spend way less time doing something like finding a Math.random() based, ergo cryptographically utterly broken PRNG.

      Or for example you can easily rule out whether the website uses header-to-cookie based CSRF protection by just checking the console on any authenticated write-like request. The rest could be automated with things like zaproxy or selenium/curl-impersonate/puppeteer scripts.

      • BrianTheeBiscuiteer@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        “Hacking” also has plenty of specialties like programming. When I think of hacking my first thought is remote, non-http services. Webservers are fair game for hacking but they’re also meant for public consumption so I’d guess monitoring is a bit more severe (not that companies don’t skimp on intrusion detection).