Obfuscation Isn’t a Fix, And It Cost Them $2,500

A web application penetration test carried out by security consultant Jose Pagliery identified several critical vulnerabilities in one of his clients’ platforms.
Instead of fixing the flaws, the client’s development and management teams opted to encrypt all HTTP requests, hoping that this would buy them time to address the problems properly.
Pagliery warned that encryption wouldn’t solve the issues and proposed a bet: if he could still exploit the vulnerabilities despite the encrypted requests, his client would pay him an additional $2,500.
He won the bet by intercepting the browser’s request using a breakpoint and then extracting and replaying the encrypted payloads and modifying parameters as required.
The case shows the importance of addressing security issues properly rather than attempting to obscure them.

Fast Feed