Gathering intelligence about your site/web application
The very first step when securing your web resources (website, web applications, Application Programming Interface (API), and so on) is to determine what kind of information is easily and freely available about them on the internet. If you wonder why you should do this, the response is very simple: because this is what attackers do first!
And believe it or not, there are thousands of web resources exposing sensitive data such as passwords, database users, sensitive documents, and so on.
Importance of public data gathering
- Public information can be used on a targeted social engineering attack (phishing, vishing, impersonation, and so on).
- Usernames can be used to execute targeted password attacks (dictionary attacks, brute-force attacks, and...