# Security through Obscurity Many applications contain content which is not supposed to be publicly accessible. A properly implemented authorization model would ensure that only users *with appropriate permission* can access such content. If an application instead relies on the fact that the content is *not visible anywhere*, this is called "security through obscurity" which is a severe anti-pattern: > In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism. ## Challenges covered in this chapter | Challenge | Difficulty | | ---------------------------------------------------------------- | ---------- | | Learn about the Token Sale before its official announcement. | ⭐⭐⭐ | | Apply some advanced cryptanalysis to find *the real* easter egg. | ⭐⭐⭐⭐ | ### Learn about the Token Sale before its official announcement 🔧 **TODO** #### Hints 🔧 **TODO** ### Apply some advanced cryptanalysis to find the real easter egg Solving the [Find the hidden easter egg](/readme/part-ii/part-ii-challenge-hunting/roll-your-own-security.md#find-the-hidden-easter-egg) challenge was probably no as satisfying as you had hoped. Now it is time to tackle the taunt of the developers and hunt down *the real* easter egg. This follow-up challenge is basically about finding a secret URL that - when accessed - will reward you with an easter egg that deserves the name. #### Hints * Make sure you solve [Find the hidden easter egg](/readme/part-ii/part-ii-challenge-hunting/roll-your-own-security.md#find-the-hidden-easter-egg) first. * You might have to peel through several layers of tough-as-nails encryption for this challenge. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pwning-wargames.gitbook.io/readme/part-ii/part-ii-challenge-hunting/security-through-obscurity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.