How to discover hidden URLs?
Discussion
One of the sites I look after has the login page url hidden and non-standard nomenclature, but somehow people are still finding it? It's not an issue - but I'm interested in how people are finding this unique url - it's not like it's listed in the sitemap. A quick look on line doesn't really bring anything up apart from links of how to obfuscate the login url..
Back in the day when i was security testing web sites, would use tools like nikto to scan for hidden links. Also its probably not as random as you think, unless it really has a truly random number or GUID in the URI?
Or its something daft, like published in r0bots.txt or inside some javascript file, which again, is all scanned for intel/info.
ETA wierdly if you spell R0bots.txt properly it causes PH to throw a 503 lol hmmmm
Or its something daft, like published in r0bots.txt or inside some javascript file, which again, is all scanned for intel/info.
ETA wierdly if you spell R0bots.txt properly it causes PH to throw a 503 lol hmmmm
Edited by bmwmike on Monday 5th September 16:09
Brother D said:
One of the sites I look after has the login page url hidden and non-standard nomenclature, but somehow people are still finding it? It's not an issue - but I'm interested in how people are finding this unique url - it's not like it's listed in the sitemap. A quick look on line doesn't really bring anything up apart from links of how to obfuscate the login url..
Is it linked to from another site? What happens when you google the URL (or partial URL)?bmwmike said:
Back in the day when i was security testing web sites
, would use tools like nikto to scan for hidden links. Also its probably not as random as you think, unless it really has a truly random number or GUID in the URI?
Or its something daft, like published in r0bots.txt or inside some javascript file, which again, is all scanned for intel/info.
Ok thanks - no not listed in robots, but I'll dig a little deeper and see where it's referenced. , would use tools like nikto to scan for hidden links. Also its probably not as random as you think, unless it really has a truly random number or GUID in the URI?
Or its something daft, like published in r0bots.txt or inside some javascript file, which again, is all scanned for intel/info.
eeLee said:
your security by obscurity will not work in a world with Google Chrome. Undoubtedly, the Big G is getting telemetry from visitors using Chrome and this will lead to discoverability. Even better should someone link to your "hidden" login page.
what are you trying to protect against?
Just security and looking to reduce the login attempts. The few other sites I look after have similar almost random login page urls, but this one site I've changed twice and after a few weeks the login attempts start again. This is more out of interest in 'how' the url is being found. what are you trying to protect against?
If the other 2 sites are identical and only this one is getting discovered it is likely as other have said, that there is an external link. Could be one of your users bookmarking it somewhere public.
Perhaps referer will tell you where they are coming from? Webstats? IP origins may tell you something of their legitimacy too.
Also consider using Google captcha to cut down on login attempts.
Other technologies such as device assurance and bot prevention depending on budget etc.
Perhaps referer will tell you where they are coming from? Webstats? IP origins may tell you something of their legitimacy too.
Also consider using Google captcha to cut down on login attempts.
Other technologies such as device assurance and bot prevention depending on budget etc.
bmwmike said:
If the other 2 sites are identical and only this one is getting discovered it is likely as other have said, that there is an external link. Could be one of your users bookmarking it somewhere public.
Perhaps referer will tell you where they are coming from? Webstats? IP origins may tell you something of their legitimacy too.
Also consider using Google captcha to cut down on login attempts.
Other technologies such as device assurance and bot prevention depending on budget etc.
It's only myself that accesses the login page. Perhaps referer will tell you where they are coming from? Webstats? IP origins may tell you something of their legitimacy too.
Also consider using Google captcha to cut down on login attempts.
Other technologies such as device assurance and bot prevention depending on budget etc.
I use the standard limit login attempts which lock out the source IP after 3 tries.
There were +500 attempts Sunday, 200 monday, and none since then.
Login attemps are from the usual suspects.
It's only a brochureware site for a small restaurant, so their budget doesn't stretch too far...
Anyway as mentioned it's not an issue just an interest where they are pulling the url info from - I'll have a play with nikto and see what that comes back with
What CMS are you using?
If it's wordpress, for example it's just going to be https://mysite.com/wp-login.php
Require strong passwords, block IP addresses for x hours after N failed attempts, etc. The URL really isn't important.
If it's wordpress, for example it's just going to be https://mysite.com/wp-login.php
Require strong passwords, block IP addresses for x hours after N failed attempts, etc. The URL really isn't important.
silentbrown said:
What CMS are you using?
If it's wordpress, for example it's just going to be https://mysite.com/wp-login.php
Require strong passwords, block IP addresses for x hours after N failed attempts, etc. The URL really isn't important.
And install Wordfence! I don't run a WP site without it.If it's wordpress, for example it's just going to be https://mysite.com/wp-login.php
Require strong passwords, block IP addresses for x hours after N failed attempts, etc. The URL really isn't important.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff