Recon & Fingerprinting
Benign-looking files and probes scanners use to fingerprint your stack.
46 probed paths in this category.
"+target=/"_blank
HTML
Risk: This malformed string is an injection or fuzzing artifact probing for reflected HTML/attribute injection; if reflected unescaped it could enable cross-site scripting or tabnabbing via injected target attributes.
Fix: Apply context-aware output encoding for all reflected input, add rel=noopener noreferrer to external links, and return a clean 404 for malformed paths without echoing the input.
+target=/_blank
Opens the linked document in a new window or tab
Risk: Not a sensitive resource - this is an HTML attribute fragment that scanners append to URLs to test reflected XSS or tabnabbing where target=_blank without rel=noopener lets the new tab control the opener window.
Fix: Ensure all outbound links using target=_blank include rel="noopener noreferrer", and return a clean 404 for malformed paths without echoing input or leaking server version.
.DS_Store
A hidden file created by Apple's Mac OS X operating system to store custom attributes of a folder such as the position of icons or the choice of a background image.
Risk: If served, the file's directory metadata reveals filenames not linked anywhere, exposing hidden admin pages, backups, or source files that an attacker can then enumerate and fetch directly.
Fix: Block dotfiles at the web server (deny .DS_Store), add it to .gitignore and deployment ignore lists, and avoid uploading macOS metadata to web roots.
.travis.yml
Travis CI configuration file
Risk: Exposes the Travis CI build pipeline, revealing deploy scripts, build steps, and sometimes encrypted secrets or environment-variable names that hint at deployment infrastructure and third-party services.
Fix: Keep CI config out of the web document root and block dotfiles at the server or CDN level; store secrets in Travis encrypted variables rather than inline in the YAML.
.well-known/security.txt
A proposed standard that allows websites to define security policies.
Risk: This is a benign, intentionally public file that publishes security contact details; it poses no direct risk, though scanners read it to fingerprint disclosure policy and contact addresses.
Fix: Serve a valid, current security.txt with a working contact and expiry date; no hardening is needed beyond keeping the listed contacts and PGP key accurate.
.well-known/security.txt/
Security.txt
Risk: This is a legitimate standardized file for disclosing security contact information; scanners probe it for fingerprinting and to find a vulnerability-reporting channel, so its presence is expected and low-risk.
Fix: Publish a valid signed security.txt with current contact and policy details, and ensure the path resolves cleanly without exposing directory listings or server errors.
.well-known/traffic-advice
Chrome Private Prefetch Proxy traffic-advice resource, probed by crawlers and scanners
Risk: This is a benign Chrome Private Prefetch Proxy resource; probing it mainly fingerprints the server and CDN behavior rather than exposing sensitive data, but verbose error responses could leak stack traces or version info.
Fix: Serve a valid JSON response or a clean 404 for the path, and ensure error pages reveal no server version, framework, or stack-trace details.
admin/console/index.html
Admin Console
Risk: Reaching an administrative console grants management access to the application or appliance, allowing configuration changes, user/account manipulation, and potential command execution on the host. Default or weak credentials on such consoles frequently lead to full takeover.
Fix: Restrict the admin console to a trusted management network or VPN, enforce strong unique credentials with MFA, and remove or rename default console paths that are publicly reachable.
app.js
Common Node.js/Express application entry-point file
Risk: If the raw file is served instead of executed, it discloses Node.js/Express application source, revealing routes, middleware, database connection logic, and possibly hardcoded credentials.
Fix: Ensure the application server runs the code rather than the web server serving it, keep source outside any static document root, and store secrets in environment variables.
console/
Laravel
Risk: Probes for an exposed interactive web console such as Laravel Tinker/Telescope or a WebLogic console, which can grant arbitrary code execution or administrative control of the application.
Fix: Disable debug/console tooling in production, restrict any admin console to internal networks with authentication, and return a 404 for the path in production builds.
crossdomain.xml
Flash Cross-Domain Policy
Risk: An overly permissive policy (allow-access-from domain="*") lets any site make cross-domain requests with the user's credentials, enabling data theft via legacy Flash/Silverlight clients.
Fix: Remove the file if no Flash/Silverlight clients exist, or restrict allow-access-from to specific trusted domains and set permitted-cross-domain-policies to none.
dashboard/test.php
phpMyAdmin
Risk: A leftover phpMyAdmin or PHP test script can disclose the PHP configuration via phpinfo, revealing versions, loaded modules, paths, and environment variables useful for crafting targeted exploits.
Fix: Remove test and diagnostic scripts from production, disable phpinfo output, and restrict phpMyAdmin access to trusted IPs behind authentication.
data/nextcloud.log
Nextcloud
Risk: Exposes Nextcloud's application log, which can reveal usernames, internal file paths, IP addresses, and error details useful for targeted attacks against the instance.
Fix: Ensure the data/ directory is outside or denied by the web server (Nextcloud ships .htaccess rules), verify the deny rules are active, and store logs where they are not web-accessible.
data/owncloud.log
ownCloud
Risk: Reveals ownCloud's log file, leaking usernames, file paths, client IPs, and stack traces that aid reconnaissance and account-targeting against the deployment.
Fix: Confirm the web server blocks access to the data/ directory per ownCloud's bundled rules, move the data directory outside the web root, and serve a 404 for log paths.
develop/info.php
phpMyAdmin
Risk: This is a phpinfo-style diagnostic that leaks PHP build details, module list, absolute paths, and environment variables, providing reconnaissance for exploiting known PHP or extension vulnerabilities. It commonly exposes secrets passed through the environment.
Fix: Remove diagnostic info.php files from any deployed environment and disable phpinfo via disable_functions, ensuring development scripts are excluded from the production build.
dns-query
DNS over HTTPS
Risk: Identifies a DNS-over-HTTPS resolver endpoint; if it is an open resolver it can be abused for DNS amplification, cache poisoning attempts, or as a covert data-exfiltration and command-and-control channel.
Fix: Restrict the DoH resolver to authorized clients, disable open recursion, rate-limit queries, and log/monitor for tunneling patterns if the endpoint is not intended to be public.
dns-query?dns=6g8BAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ
DNS over HTTPS
Risk: A base64url-encoded DoH query for google.com used to confirm the endpoint is a functioning resolver, which an attacker could then abuse for amplification or DNS tunneling if left open.
Fix: Limit the resolver to authenticated or allowlisted clients, disable open recursion, apply rate limiting, and monitor for high-volume or anomalous DoH query patterns.
dns-query?dns=FlMBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ
DNS over HTTPS
Risk: Another encoded DoH probe for google.com confirming a live resolver, exposing it to abuse as an open resolver for amplification attacks or covert tunneling channels.
Fix: Enforce client allowlisting or authentication on the DoH endpoint, disable open recursion, rate-limit requests, and alert on suspicious query volumes.
dns-query?dns=L94BAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ
DNS over HTTPS
Risk: An encoded DoH query for google.com used to fingerprint a working resolver that, if openly recursive, can be leveraged for DNS amplification or as an exfiltration channel.
Fix: Restrict access to trusted clients, turn off open recursion, apply per-source rate limits, and monitor logs for tunneling-style query patterns.
dns-query?dns=MAYBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ
DNS over HTTPS
Risk: A base64url DoH probe resolving google.com to verify the endpoint is live, after which an open resolver could be abused for amplification DDoS or DNS-based C2.
Fix: Lock the resolver to authorized clients, disable open recursion, enforce rate limiting, and log anomalous query behavior for detection.
dns-query?dns=wWIBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ
DNS over HTTPS
Risk: An encoded DoH query for google.com confirming resolver availability, which if openly recursive enables amplification attacks and covert data exfiltration over DNS.
Fix: Allowlist or authenticate DoH clients, disable open recursion, rate-limit queries, and monitor for tunneling and abuse patterns.
docs
API Documentation
Risk: Auto-generated API documentation at this path can expose internal endpoints, parameters, and example payloads that accelerate reconnaissance and authorization testing.
Fix: Restrict generated documentation to authenticated internal users in production and ensure the underlying endpoints enforce their own access controls.
FD873AC4-CF86-4FED-84EC-4BD59C6F17A7
Microsoft Teams
Risk: A static GUID associated with Microsoft Teams/Office probing; scanners use it to fingerprint specific Microsoft services or detect a particular response signature rather than to access data directly.
Fix: Return a standard 404 for unrecognized GUID paths with no stack trace or version leakage; ensure no internal service inadvertently responds to this identifier.
health
Health Check Endpoint
Risk: A verbose health-check endpoint can disclose dependency status, database connectivity, internal hostnames, and component versions that reveal the architecture and which subsystems to target.
Fix: Return only a minimal liveness status (up/down) to unauthenticated callers and gate detailed dependency health behind authentication or an internal-only network path.
inbox?mode=message&user=1596416
Atlassian Jira
Risk: Probing Jira message/inbox endpoints with enumerable user IDs supports user enumeration and targeting of known Jira flaws (such as CVE-2019-11581 template injection or CVE-2019-8451 SSRF), aiding account discovery and pre-auth attacks.
Fix: Upgrade Jira to a supported patched version, disable public sign-up and anonymous access, and front the instance with authentication and WAF rules that block unauthenticated enumeration of user-keyed endpoints.
info.php
PHP info page
Risk: A phpinfo() output page discloses the PHP version, loaded modules, full filesystem paths, environment variables, and configuration, giving attackers precise targeting data and sometimes leaked secrets or credentials.
Fix: Delete diagnostic phpinfo scripts from production webroots, disable the phpinfo function via disable_functions, and ensure such files return a clean 404 without revealing the stack.
live
Liveness Probe Endpoint
Risk: A liveness probe endpoint left public confirms the application is running and may leak framework defaults, aiding fingerprinting and availability-targeting reconnaissance.
Fix: Restrict liveness endpoints to the orchestrator's internal network, return a bare status with no version or component detail, and exclude them from public routing.
login
Django
Risk: A reachable Django login form lets attackers fingerprint the framework, attempt credential brute force or default admin logins, and probe for known Django auth/CSRF weaknesses to gain authenticated access.
Fix: Rate-limit and monitor login attempts, enforce strong passwords plus MFA on admin accounts, keep Django patched, and restrict admin login pages to trusted networks where possible.
management/env
Spring Boot Actuator
Risk: The Spring Boot Actuator env endpoint discloses environment properties including database credentials, API keys, and internal configuration, and combined with other actuators can enable remote code execution.
Fix: Secure actuator endpoints with authentication, expose only health/info via management.endpoints.web.exposure, run actuators on a separate internal port, and mask sensitive property values.
nextcloud/data/nextcloud.log
Nextcloud
Risk: If the data directory is web-served, this log file leaks usernames, internal file paths, IP addresses, and error traces, and an exposed data root may also allow direct download of users' stored files.
Fix: Keep the Nextcloud data directory outside the web root, enforce the bundled .htaccess/nginx deny rules that block access to data/, and run the built-in security check to confirm the path is unreachable.
owncloud/data/owncloud.log
ownCloud
Risk: A web-accessible ownCloud log leaks usernames, file paths, IP addresses, and stack traces, and an exposed data directory can allow direct retrieval of users' stored files and configuration.
Fix: Place the ownCloud data directory outside the web root, keep the shipped .htaccess/nginx rules that deny access to data/, and verify via the admin security check that the path returns no content.
pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Google AdSense
Risk: This is the legitimate Google AdSense library hostname; scanners reference it to fingerprint ad integrations or test for content-security-policy gaps and malicious script injection vectors. A permissive CSP around such third-party scripts can let an attacker load arbitrary code under the ad domain allowance.
Fix: Load the AdSense script only over HTTPS from the official Google domain, scope your Content-Security-Policy to the exact required third-party origins, and use Subresource Integrity or trusted-types where feasible to limit script tampering.
phpinfo
PHP info page
Risk: A phpinfo() endpoint discloses the PHP version, extensions, absolute paths, server environment variables, and configuration, often exposing secrets and giving attackers a precise map for further exploitation.
Fix: Remove phpinfo scripts from production, disable the phpinfo function through disable_functions, and ensure requests for such diagnostic names return a clean 404 with no version or path leakage.
phpinfo.php
PHP info page
Risk: A phpinfo() page discloses the PHP version, loaded modules, full server paths, environment variables, and configuration, giving an attacker precise fingerprinting to select matching exploits.
Fix: Delete all phpinfo() scripts from production and disable the phpinfo function via disable_functions in php.ini.
phpinfo.php
PHP Information Page
Risk: A phpinfo() page discloses the PHP version, loaded modules, full server paths, environment variables, and configuration, giving an attacker precise fingerprinting to select matching exploits.
Fix: Delete all phpinfo() scripts from production and disable the phpinfo function via disable_functions in php.ini.
Public/home/js/check.js
GitLab
Risk: Probing this path is used to fingerprint a GitLab instance and confirm its version, enabling an attacker to match it against known GitLab CVEs such as authentication bypass or remote code execution. A confirmed version narrows exploit selection significantly.
Fix: Keep GitLab patched to the latest supported release, hide version banners where possible, and place the instance behind authentication or IP restrictions so unauthenticated fingerprinting yields no usable detail.
ready
Readiness Probe Endpoint
Risk: A readiness probe endpoint can reveal whether backend dependencies like databases or caches are connected, giving attackers insight into infrastructure topology and timing for outage-based attacks.
Fix: Expose readiness probes only on the internal orchestration network (e.g., Kubernetes), keep responses minimal, and ensure they are unreachable from public ingress.
robots.txt
Web Robots Exclusion File
Risk: A legitimate file, but scanners read it to harvest Disallow entries that often point directly at admin panels, backups, or staging paths the owner wanted hidden from crawlers.
Fix: Avoid listing sensitive directories in robots.txt (use authentication and noindex headers instead), and serve it cleanly without leaking server version or stack traces on adjacent paths.
s/937313e2631313e22353e22353/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
Atlassian Jira
Risk: Abuses the Jira path-traversal/cache-poisoning flaw (CVE-2021-26086 family) to read internal files such as the build pom.properties, disclosing the exact Jira version and enabling targeting of version-specific RCE or auth-bypass exploits.
Fix: Upgrade Jira to a patched version and place it behind a reverse proxy that normalizes and rejects encoded traversal sequences in request paths.
server-status
Apache server status page
Risk: The Apache mod_status page reveals live request URLs, client IP addresses, server uptime, worker activity, and the Apache/OS version, exposing internal endpoints and session tokens passed in query strings to anyone who can reach it.
Fix: Restrict the mod_status handler to localhost or an internal management network with Require ip directives, or disable mod_status entirely if not needed.
server.js
Common Node.js server entry-point file
Risk: Exposure of this entry point reveals the Node.js server's listening config, route wiring, and dependencies, and any inline secrets, providing a blueprint for targeted attacks.
Fix: Serve only built/static assets publicly, keep server source out of the web root, and load configuration and credentials from environment variables rather than inline.
server/phpinfo.php
PHP
Risk: A phpinfo() page discloses the full PHP version, loaded modules, absolute filesystem paths, environment variables (which may include secrets), and server configuration, giving an attacker a precise map for targeting known PHP vulnerabilities.
Fix: Delete all phpinfo() test scripts from production, and disable the phpinfo function via disable_functions in php.ini to prevent accidental information disclosure.
sitemap.xml
XML Sitemap
Risk: A benign discovery file that bots parse to enumerate every published URL at once, accelerating reconnaissance of the application's surface area.
Fix: Limit the sitemap to public, intended URLs and protect non-public endpoints with authentication; ensure the server returns a clean response without exposing framework details.
status
Service Status Endpoint
Risk: A service status endpoint may expose build versions, uptime, queue depths, and dependency details that help attackers fingerprint software versions and identify exploitable components.
Fix: Limit public status output to a generic OK response, and restrict detailed status data to authenticated operators or an internal monitoring network.
test.php
PHP Test File
Risk: Leftover test scripts often contain debug output, hardcoded credentials, or unguarded functionality (file reads, eval, uploads) that an attacker can abuse for information disclosure or code execution.
Fix: Remove all test and scratch scripts from production deployments and enforce a build/deploy process that excludes non-application files.
webui
Generic web-UI admin path probed across appliances and applications
Risk: A live admin web UI here invites credential brute-forcing and exploitation of the underlying appliance or application, potentially yielding administrative control.
Fix: Restrict admin interfaces to trusted networks or VPN, enforce strong authentication and rate limiting, and return 404 for the path on hosts that have no such UI.