first of all, the question from a naive point of view:
I've got a WebApplication with a URL to a product like Products?id=123
. Let's say I've got an administration page reachable from Products?id=123&editable=true
.
If I consider that no one will ever try to enable the editable
parameter, and thus don't need any further security mechanism to protect this page, that's security by obscurity, and that's not a good idea, right?
-
In my real case problem, it's slightly more subtle: is there any danger in allowing anyone to know my administration URLS? for instance, while working with XSL, I would like to write:
<xsl:if test="/webAlbums/mode/@admin">
(compute edit link)
</xsl:if>
but wouldn't it be easier for a potential attacker to find a weakness in 'important' pages?