depends. Desktop code, sure, reverse engineering from assembly takes some time but some good dissasemblers might be able to produce some C skeleton to start from. Though you might get lucky just exploiting the supply chain of bloated open source with a hellton of vulnerabilities deps/infra like glibc, apache or sudo.
But web code? Sure, minifiers exist but not every website uses them and even if their do, thanks to all the new stuff since ES5 you can for example spend way less time doing something like finding a Math.random() based, ergo cryptographically utterly broken PRNG.
Or for example you can easily rule out whether the website uses header-to-cookie based CSRF protection by just checking the console on any authenticated write-like request. The rest could be automated with things like zaproxy or selenium/curl-impersonate/puppeteer scripts.
“Hacking” also has plenty of specialties like programming. When I think of hacking my first thought is remote, non-http services. Webservers are fair game for hacking but they’re also meant for public consumption so I’d guess monitoring is a bit more severe (not that companies don’t skimp on intrusion detection).
Programmers have the source code right in front of them, hackers usually don’t. It’s quite amazing what they can do taking shots in the dark.
depends. Desktop code, sure, reverse engineering from assembly takes some time but some good dissasemblers might be able to produce some C skeleton to start from. Though you might get lucky just exploiting the supply chain of bloated open source with a hellton of vulnerabilities deps/infra like glibc, apache or sudo.
But web code? Sure, minifiers exist but not every website uses them and even if their do, thanks to all the new stuff since ES5 you can for example spend way less time doing something like finding a Math.random() based, ergo cryptographically utterly broken PRNG.
Or for example you can easily rule out whether the website uses header-to-cookie based CSRF protection by just checking the console on any authenticated write-like request. The rest could be automated with things like zaproxy or selenium/curl-impersonate/puppeteer scripts.
“Hacking” also has plenty of specialties like programming. When I think of hacking my first thought is remote, non-http services. Webservers are fair game for hacking but they’re also meant for public consumption so I’d guess monitoring is a bit more severe (not that companies don’t skimp on intrusion detection).