Authentication & Identity
Login portals, SSO, and identity endpoints targeted for account takeover.
30 probed paths in this category.
.well-known/oauth-authorization-server
OAuth 2.0 Authorization Server Metadata
Risk: Publishes the authorization server's endpoints and capabilities, letting attackers identify supported (and potentially insecure) grant types, token formats, and registration endpoints to target.
Fix: This metadata is intentionally public; secure it by advertising only hardened flows, disabling dynamic client registration if unused, and enforcing PKCE and strict redirect validation.
.well-known/openid-configuration
OpenID Connect Configuration Document
Risk: This discovery document publicly maps every OIDC endpoint, supported flows, and signing keys, giving an attacker a complete blueprint of the identity provider to find weak grant types or algorithms.
Fix: Exposure of this document is expected by design; harden the underlying endpoints by disabling weak flows and algorithms, and ensure jwks_uri serves only current signing keys.
adfs/services/trust
Active Directory Federation Services
Risk: An exposed ADFS trust endpoint can be abused for WS-Trust username/password spraying that bypasses lockout and MFA, and a compromised token-signing key enables Golden SAML forgery of any user's identity.
Fix: Restrict the trust endpoints via Web Application Proxy with extranet smart lockout and MFA, protect token-signing keys, and disable legacy WS-Trust endpoints if not required.
admin/login.jsp
Java Web Application Admin Login
Risk: This JSP admin login confirms a Java web application and offers a credential-entry point where default credentials or known framework CVEs (such as Struts or Spring flaws) can lead to authenticated access and server-side code execution. The .jsp extension also signals a servlet container that may have its own exploitable vulnerabilities.
Fix: Restrict the admin login to a management network, enforce strong unique credentials with account lockout and MFA, and keep the JVM, servlet container, and web framework patched against known authentication and deserialization CVEs.
api/v1/tokens
API Token Management Endpoint
Risk: An exposed token-management endpoint can let an attacker mint, list, or revoke API tokens, achieving persistent authenticated access or denying service by revoking legitimate keys.
Fix: Require strong authentication and per-action authorization on token endpoints, rate-limit them, and audit token creation and revocation events.
api/v2/auth/login
API Authentication Login Endpoint
Risk: A login endpoint is the primary target for credential stuffing, brute force, and username enumeration that can yield valid account access if responses or timing differ for valid versus invalid users.
Fix: Enforce rate limiting and account lockout, return uniform error responses, add MFA, and monitor for high-volume authentication failures.
auth/realms/master
Keycloak Authentication Realm
Risk: Reaching Keycloak's master realm exposes the administrative realm; default or weak admin credentials grant full control over all realms, clients, and users, enabling complete identity-provider takeover.
Fix: Change default admin credentials immediately, restrict the master realm and admin console to internal networks or VPN, enforce strong MFA, and keep Keycloak patched.
auth0/api/v2/users
Auth0 Users Management API
Risk: A stolen Auth0 Management API token grants read/write access to the full user directory, allowing password resets, MFA removal, account creation, and tenant-wide account takeover.
Fix: Issue Management API tokens with the narrowest scopes (avoid `read:users`/`update:users` where unneeded), keep them server-side only, set short token lifetimes, and enable Auth0 anomaly detection.
autodiscover/autodiscover.json?@zdi/Powershell
Microsoft Exchange Autodiscover
Risk: Probes for ProxyShell/ProxyNotShell SSRF in Exchange Autodiscover, which chained with backend exploits allows unauthenticated remote code execution and webshell deployment on the Exchange server.
Fix: Apply current Exchange cumulative updates and security patches, disable legacy Autodiscover paths where unused, and place Exchange behind authenticated reverse proxy or Exchange Emergency Mitigation.
autodiscover/autodiscover.json?a..foo.var/owa/?&Email=autodiscover/autodiscover.json?a..foo.var&Protocol=XYZ&FooProtocol=Powershell
Microsoft Exchange Autodiscover
Risk: Exploits the ProxyShell path-confusion bug in Exchange Autodiscover to reach the PowerShell backend unauthenticated, enabling mailbox export, privilege escalation, and remote code execution.
Fix: Patch Exchange to the latest CU and security rollup, enforce authentication on PowerShell virtual directories, and apply Microsoft's URL rewrite mitigations for the Autodiscover SSRF pattern.
Autodiscover/Autodiscover.xml
Autodiscover is the feature that Outlook uses to obtain configuration information for servers to which it connects.
Risk: Exposed Exchange Autodiscover can leak internal hostnames and email configuration and, on unpatched servers, is a known SSRF/RCE vector (ProxyLogon/ProxyShell chains) leading to mailbox access and server compromise.
Fix: Keep Exchange fully patched, restrict Autodiscover to authenticated internal clients or a published endpoint, and put a WAF/reverse proxy in front to filter known ProxyShell URL patterns.
console/login/LoginForm.jsp
WebLogic Server Console
Risk: A reachable WebLogic admin console lets attackers attempt credential brute-forcing or exploit known WebLogic RCE chains (e.g. T3/IIOP deserialization CVEs) to gain full control of the application server.
Fix: Restrict the /console context to internal management networks via firewall or load-balancer rules, change default weblogic credentials, and keep WebLogic patched against deserialization CVEs.
Core/Skin/Login.aspx
DNN CMS
Risk: Identifies a DNN (DotNetNuke) CMS install; vulnerable versions allow authentication bypass, deserialization RCE, or file-upload attacks that can lead to admin takeover or server-side code execution.
Fix: Upgrade DNN to the latest patched release, remove the version banner, enforce strong admin credentials with MFA, and restrict access to admin and install paths.
ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
Microsoft Exchange
Risk: Reaching the eDiscovery ExportTool ClickOnce manifest fingerprints the Exchange build and signals the server is internet-facing, helping attackers chain CVE-2021-26855 (ProxyLogon) or CVE-2022-41040/41082 (ProxyShell) for unauthenticated RCE and mailbox takeover.
Fix: Apply current Exchange cumulative updates and security patches, restrict ECP/OWA exposure to a VPN or reverse proxy, and disable Exchange Online PowerShell or legacy ClickOnce paths that are not in use.
identity/connect/authorize
IdentityServer4 Authorization Endpoint
Risk: An exposed IdentityServer4 OIDC authorization endpoint lets attackers probe client_ids, redirect_uris, and scopes to find misconfigured clients usable for token theft via open-redirect or implicit-flow abuse.
Fix: Enforce strict redirect_uri allowlists per client, disable the implicit flow in favor of authorization code with PKCE, and require client authentication for confidential clients.
identity/connect/token
IdentityServer4 Token Endpoint
Risk: The IdentityServer4 token endpoint issues OAuth/OIDC access and refresh tokens; weak client secrets or permissive grant types here allow attackers to mint valid tokens and impersonate users or services.
Fix: Use high-entropy client secrets, restrict each client to only the grant types it needs, and rate-limit token requests to slow credential-stuffing and brute-force attempts.
login.action
Atlassian Jira
Risk: The .action suffix marks a Struts/Atlassian endpoint frequently targeted by OGNL injection RCE (such as the Confluence/Struts CVE-2021-26084 and CVE-2017-5638 families), where a crafted login request can yield unauthenticated command execution.
Fix: Patch the Struts2/Atlassian product to a fixed version, remove unused .action endpoints, and deploy WAF signatures that block OGNL expression payloads in request parameters and headers.
mgmt/shared/authn/login
F5 BIG-IP
Risk: This F5 BIG-IP iControl REST authentication endpoint is the entry point for CVE-2022-1388 (auth bypass) and CVE-2021-22986 (unauthenticated RCE), letting an attacker create admin tokens and run root commands on the appliance.
Fix: Apply current BIG-IP engineering hotfixes, restrict the management/iControl REST interface to a dedicated management network, and follow F5's mitigation of blocking iControl REST over self-IP and the management port.
oauth2/v2.0/authorize
Microsoft Entra ID Authorization Endpoint
Risk: Misconfiguration here (overly permissive redirect URIs, implicit flow, or open client registration) enables authorization-code interception and token theft, leading to account takeover in Entra ID-protected apps.
Fix: Enforce exact redirect-URI matching, use PKCE with the authorization-code flow, disable implicit/hybrid grants, and restrict app registration to administrators.
oauth2/v2.0/token
Microsoft Entra ID Token Endpoint
Risk: Weak client authentication or leaked client secrets at the token endpoint let an attacker exchange stolen codes or refresh tokens for access tokens, impersonating users or service principals.
Fix: Require confidential-client secrets or certificate credentials, rotate secrets regularly, validate redirect URIs and PKCE, and monitor for anomalous token grants.
okta/api/v1/users
Okta Users API
Risk: A leaked Okta API token enables enumeration and modification of all user accounts, including resetting credentials, deactivating MFA factors, and creating admin users for full SSO-backed access to downstream apps.
Fix: Use Okta API tokens or OAuth service apps with least-privilege admin roles, bind tokens to a network zone allowlist, set short expirations, and monitor the System Log for token-driven changes.
owa
Microsoft Outlook Web Access
Risk: Reaching the Outlook Web Access endpoint confirms an Exchange server is internet-facing and exposes the login portal to credential stuffing and password spraying, plus targeting of ProxyLogon/ProxyShell mailbox-takeover chains.
Fix: Front OWA with MFA and conditional access, enforce account lockout against spraying, keep Exchange fully patched, and consider restricting external OWA access to a VPN or published-app gateway.
owa/
Microsoft Outlook Web Access
Risk: The OWA root similarly identifies an exposed Exchange deployment and offers an authentication surface for brute-force and spraying attacks as well as a foothold for chaining known Exchange pre-auth vulnerabilities.
Fix: Require MFA, apply account-lockout and anomaly monitoring on the OWA portal, keep cumulative updates current, and limit external reachability via reverse proxy or VPN where feasible.
owa/auth.owa
Microsoft Outlook Web Access
Risk: This OWA forms-authentication handler is the target of credential-spraying and password-harvesting attacks, and version-specific responses help attackers fingerprint the Exchange build for follow-on ProxyLogon/ProxyShell exploitation.
Fix: Enforce MFA and lockout thresholds on forms auth, suppress version banners, keep Exchange patched, and place the auth endpoint behind a pre-authentication gateway.
owa/auth/logon.aspx
Microsoft Outlook Web Access
Risk: The OWA logon page exposes the Exchange credential prompt to brute force and phishing-style harvesting, and its markup/version strings reveal the precise build attackers need to select a matching mailbox-takeover exploit.
Fix: Apply MFA, account lockout, and login monitoring, strip version-revealing strings from the logon page, keep Exchange updated, and restrict external access through a reverse proxy or VPN.
owa/auth/logon.aspx?url=https://1/ecp/
Microsoft Outlook Web Access
Risk: This open-redirect parameter on the Exchange OWA login page can be abused for phishing, and probing the ECP path can confirm an Exchange version vulnerable to ProxyLogon/ProxyShell chains leading to remote code execution and mailbox access.
Fix: Patch Exchange to the latest cumulative update, restrict ECP and OWA access to trusted networks or via VPN, and validate or whitelist the url redirect parameter to prevent open redirects.
owa/auth/x.js
Microsoft Outlook Web Access
Risk: This OWA static auth JavaScript asset carries build/version markers that let scanners fingerprint the exact Exchange cumulative update level to choose a matching ProxyLogon/ProxyShell or other CVE exploit.
Fix: Keep Exchange patched so fingerprinting yields no exploitable version, minimize version disclosure in static assets, and restrict OWA exposure behind a gateway or VPN.
tmui/login.jsp
F5 BIG-IP
Risk: This is the F5 BIG-IP Traffic Management UI login, the entry point for the iControl REST authentication-bypass RCE chain (CVE-2020-5902 / CVE-2022-1388); an unauthenticated attacker can gain root on the appliance and intercept all proxied traffic.
Fix: Patch BIG-IP to a fixed version and never expose the management interface (TMUI) to the internet; bind it to a dedicated management VLAN restricted to admin hosts.
user/login
Drupal Login Path
Risk: This is the Drupal login path; its presence fingerprints Drupal and exposes the authentication endpoint to brute-forcing and to Drupal-specific account-takeover or auth-bypass CVEs. A compromised admin account allows enabling PHP filters or modules that yield remote code execution.
Fix: Enforce strong passwords with flood-control and MFA on Drupal logins, restrict administrative login to trusted IPs where feasible, and keep Drupal core and contributed modules updated against known authentication CVEs.
wp-login.php
WordPress
Risk: The WordPress admin login is a prime target for credential-stuffing and brute-force bots; a weak admin password yields full site takeover and a foothold for malware and SEO spam.
Fix: Enforce strong, unique admin passwords and 2FA, rate-limit or IP-restrict wp-login.php, consider renaming the login path, and keep WordPress core and plugins patched.