Hidden file name under HTTP server directory

[Victor Zhang]

Hello all,
I don't know if this is a proper discussion group, but I still raise
this question,hoping somebody can shed a light on me:
If I know the http server name and some directory name, but I don't
know the file names located under this directory, is it possible to
find out what's the name for them ,so that I can download them?

Regards
Victor

 

[brucie]

If I know the http server name and some directory name, but I don't
know the file names located under this directory, is it possible to
find out what's the name for them ,so that I can download them?

i assume you're not talking about your own server. you could guess some
common ones or run a script that will try different combinations of file
names looking for a 200 response but as there are so many possibilities
it would be a waste of time. you'd really need a fat pipe if you were
going to try it.

you may like to try to crack the server but i would recommend abducting
a close family member and ransoming them for the directory listing. its
much more fun.

 

[Victor Zhang]

So you mean, there is no method finding the directory name and file
name which are not published without cracking the web host?
That sounds bad.
Anyway, thank you for the reply.

Regards
Victor

 

[brucie]

So you mean, there is no method finding the directory name and file
name which are not published without cracking the web host?
That sounds bad.

it sounds very good unless you're trying to do something evil

please don't toppost, it upsets the little voices

How am I supposed to post my replies in a newsgroup?:
http://allmyfaqs.com/faq.pl?How_to_post

 

[Weyoun the Dancing Borg]

So you mean, there is no method finding the directory name and file
name which are not published without cracking the web host?
That sounds bad.
Anyway, thank you for the reply.

sure it's bad. if I have a txt file called "my credit card number.txt"
(for whatever reason) on my server, I dont want other people to see it.

If you want a file from their server, why don't you ask them?

 

[Ramen Junkie]

i assume you're not talking about your own server. you could guess some
common ones or run a script that will try different combinations of file
names looking for a 200 response but as there are so many possibilities
it would be a waste of time. you'd really need a fat pipe if you were
going to try it.

You could also make the script try every possible combination. a.html,
b.hml,. aa.html, ahgdfghd.html etc. Systematically of course. That would
take forever though.

 

[Rob McAninch]

sure it's bad. if I have a txt file called "my credit card
number.txt" (for whatever reason) on my server, I dont want
other people to see it.

It should go without saying, but security thru obscurity is no
security at all (or at least very little). At a minimum, if
you're on a shared server other users can see the file.

So a method to solve the original question would be to gain
access to the server by means other than HTTP. If it is a shared
server you might get an account and 'legally' view the other
persons files. Otherwise you're looking for telnet or ssh access,
both probably easier to crack then throwing gobs of http requests
at the server.

Of course I don't condone such actions without prior consent.

 

[Victor Zhang]

I wonder if a robot can access unpublished directory or file?
This is a purely a technical discussion, which doesn't mean what I
want to know, just curious how to access hidden/unpublished resource.
Thanks to those who kindly answered my quesitons.
Share what you know, learn what you don't.

Regards
Victor

 

[Spartanicus]

I wonder if a robot can access unpublished directory or file?

If by robot you mean crawler/SE, not unless directory browsing is
enabled on the server.

 

[Toby A Inkster]

I wonder if a robot can access unpublished directory or file?
This is a purely a technical discussion, which doesn't mean what I
want to know, just curious how to access hidden/unpublished resource.

Depends on what you mean by "hidden". You'd be surprised how visible URLs
can become, even if you don't link to them.

Firstly, server stats pages often list which pages on the server are
getting the most hits. So your "hidden" page might be listed there.

Secondly, if someone clicks a link *from* your hidden page *to* somewhere
else, your hidden page's address will appear in the destination server's
referer logs.

 

[Long - CM web hosting]

: Victor Zhang wrote:
:
: > I wonder if a robot can access unpublished directory or file?
: > This is a purely a technical discussion, which doesn't mean what I
: > want to know, just curious how to access hidden/unpublished resource.
:
: Depends on what you mean by "hidden". You'd be surprised how visible URLs
: can become, even if you don't link to them.
:
: Firstly, server stats pages often list which pages on the server are
: getting the most hits. So your "hidden" page might be listed there.
:
: Secondly, if someone clicks a link *from* your hidden page *to* somewhere
: else, your hidden page's address will appear in the destination server's
: referer logs.
:
Good points and are typical of file system based web hosting enviroments.
More control is available if digital content are stored in a database such as
a CMS repository, files can be made visible or hidden at the flip of a switch.
Access to hidden files will get a 404 as if they don't exist at all.

Long
www.webcharm.ca - content managemet web hosting

 

[Owen Jacobson]

Good points and are typical of file system based web hosting enviroments.
More control is available if digital content are stored in a database such as
a CMS repository, files can be made visible or hidden at the flip of a switch.
Access to hidden files will get a 404 as if they don't exist at all.

Why 404, specifically?

Reasons that are related to who is doing the requesting:
401 - Not Authorized (implies HTTP Authentication mechanisms)
402 - Payment Required
403 - Forbidden

Reasons relating to the resource itself:
404 - Not Found
410 - Gone
503 - Service Unavailable (this might be applicable for a large-scale
temporary outage, such as an entire section -- "...or maintenance of the
server." It does, somewhat, imply that the server as a whole is down,
though)
301 - Moved Permanently (followed by a Location: new-URI header)
307 - Temporary Redirect (also)

 

[Long - CM web hosting]

: On Thu, 08 Apr 2004 21:17:20 +0000, Long - CM web hosting wrote:
:
: > Good points and are typical of file system based web hosting enviroments.
: > More control is available if digital content are stored in a database such as
: > a CMS repository, files can be made visible or hidden at the flip of a switch.
: > Access to hidden files will get a 404 as if they don't exist at all.
:
: Why 404, specifically?
:
Granted there are a number of ways to generate a response, as you have
pointed out. I suppose it depends on the situation, but in general it is better
not to broadcast that a resource exist and is protected. Just say it is not there
and leave it at that.

Long
www.webcharm.ca - content management web hosting

 

[Victor Zhang]

If by robot you mean crawler/SE, not unless directory browsing is
enabled on the server.

Yes,I mean crawler. If the web server doesn't allow directory browsing
for its root, but can browsing individual subdirectory, can a crawler
find hidden resources?

Regards
Victor