I am currently working as a pentester on enhancing the security of Python projects. To the best of my knowledge, when someone attempts to discover paths (such as ‘/admin,’ which should be changed upon deployment) in a web app, they perform fuzzing on the application using various dictionaries containing words that may or may not exist on the web. The word that returns a 200 OK indicates the path’s existence, and if it results in a 404 ERROR, we know it doesn’t. This is acceptable as we can filter only by looking for the 200 OK (Fuzzing).
The question is: What if we force the app to return a 200 OK even when a path does not exist? Is it even possible to accomplish? How?
Assuming it can be done, and the response to our request is a custom 404.html page providing a 200 OK, it can be filtered in our fuzzers to display the number of lines or even the number of words. Considering this, I have another question: Can we modify the 404.html view to return a random number of lines and words to make it more challenging to find those paths? Is it even possible to accomplish? How?
Now that you have read it, consider that if both things are possible to accomplish and you are planning to implement them in your project, you must know that most SEOs don’t like these security measures, for example, Google.
Thanks for reading ;).