1
00:00:00,330 --> 00:00:02,430
‫Minimum information principal.

2
00:00:03,850 --> 00:00:08,890
‫So let me tell you, there's an interesting belief out there in the development community that they

3
00:00:08,890 --> 00:00:13,510
‫explain everything about the application in detail.

4
00:00:15,230 --> 00:00:23,540
‫Now, it's not necessarily bad, but sometimes this really good behavior goes beyond its good intention.

5
00:00:24,790 --> 00:00:30,190
‫And that means that it provides some important information for a pen tester.

6
00:00:31,330 --> 00:00:38,920
‫So this kind of information sometimes can help us and, well, particularly vital situations, there

7
00:00:38,920 --> 00:00:41,740
‫may be different ways to get this kind of information.

8
00:00:42,510 --> 00:00:43,960
‫But I want to give you a few tips.

9
00:00:45,880 --> 00:00:52,540
‫So the first thing is to read just about all the HTML source files or at least write your own script

10
00:00:52,540 --> 00:01:00,430
‫to investigate the sources for certain special tags and words you can find in the email comment that

11
00:01:00,430 --> 00:01:06,190
‫contains any information about the back end of the applications, such as passwords, usernames.

12
00:01:06,310 --> 00:01:07,270
‫That's golden.

13
00:01:08,620 --> 00:01:10,360
‫Also, look through the help pages.

14
00:01:11,490 --> 00:01:15,240
‫Use the demo users if the application has one.

15
00:01:16,770 --> 00:01:23,610
‫Now, once he tests an application, I can see in unauthenticated help document, which contains an

16
00:01:23,610 --> 00:01:25,200
‫administrative demo user.

17
00:01:25,950 --> 00:01:32,610
‫So it's these types of errors that are, well, decreasing constantly because companies are moving faster

18
00:01:32,610 --> 00:01:36,540
‫and faster to better deployment and better development environments.

19
00:01:37,480 --> 00:01:39,040
‫But that doesn't mean they're not out there.

20
00:01:40,350 --> 00:01:46,470
‫Also, there may be some error and warning directives that are helpful to the general users, such as

21
00:01:46,740 --> 00:01:48,540
‫your password is wrong.

22
00:01:49,640 --> 00:01:56,150
‫Save it for a pen, testor, this means brute force the password, because you've already got some usernames,

23
00:01:56,150 --> 00:01:56,380
‫right?

24
00:01:57,690 --> 00:02:03,480
‫And sometimes errors are caused in the back end and those can be directly reflected to the user.

25
00:02:05,280 --> 00:02:08,820
‫And again, for general user, it doesn't have any meaning.

26
00:02:10,030 --> 00:02:16,150
‫But the hacker or a pin tester is not the same as a general user.

27
00:02:17,740 --> 00:02:24,700
‫And then one last thing that I want to mention to you, sometimes we can observe all the information

28
00:02:24,700 --> 00:02:32,980
‫about all the employees on the Web site of the company seriously, all board members, employees, their

29
00:02:32,980 --> 00:02:38,830
‫phone numbers, names, emails, even way more info than that and.

30
00:02:40,040 --> 00:02:47,420
‫I'm not telling you that that's a vulnerability or you've got to hide this information, but I really

31
00:02:47,420 --> 00:02:50,760
‫think that it shouldn't be that easy to find anyone.

32
00:02:50,810 --> 00:02:55,010
‫It really does help for the social engineering purposes.