Someone found an obfuscated path on my website. Is this possible without hacking my site?

Question

I am running a server with Django and Nginx. I tried to hide the admin panel by assigning it a 50digit random string as URL (something like https://mydomain/asidfhifuerbdsi...). Now someone found this URL and I am wondering if this was possible without hacking my page.

More information:

There is a sitemap, but the URL is not on the sitemap
There is no robots.txt
Directory listing was enabled for a subdirectory /static but the URL in question was not part of this subdirectory
I am using PostHog to keep track of the traffic
I am using the Google Search Console but the URL in question is not shown there

In my understanding, one would have to "guess" the correct URL in order to find it which should be pretty much impossible given the length of the random string. All other options would include one of my accounts (github, posthog) or the server being compromised. Is this true?

Edit: Addressing the comments:

debug mode is turned off
https is being enforced
I know someone accessed it because I can see some other IP accessing it in the nginx log
I can't see any evidence of brute-forcing. The correct URL was accessed directly without any trial and error

So I agree that there won't be a definite answer because I lack some required information. But to summarize for future readers, these are possible reasons for someone finding the URL:

Access to the server
Access to my code repository
Malicious browser extension
Access to my machine through malware
Antivirus / Web extension crawling my browsing history
Through a Referer HTTP header

You might want to protect this directory using HTTP Basic Authentication as a second layer of defense. See https://en.wikipedia.org/wiki/Basic_access_authentication — mti2935, Sep 23 '21 at 15:10
That's a good suggestion in any case, thanks! But I'm more worried about the implications of the fact that somebody found the URL. How could they have found it without gaining access to my code repository or root access to the server? — Nik, Sep 23 '21 at 15:13
Tools like DirBuster are surprisingly good at brute forcing paths. Is there evidence in your web logs of automated requests for a lot of random directories or is it just a one-shot to the url? — not_very_nice, Sep 23 '21 at 16:06
Also, does anyone else other than you have access to the web server (even without root access)? Web server logs are generally readable by all users. — mti2935, Sep 23 '21 at 16:17
@Nik: "For sure no physical access." - malware does not need physical access. It just need to run on your system. "Malicious browser addons?" - yes, that's still a thing. "Can this be done from JS?" - Not with JS on a different site. In the end it is unknown though what actually is the reason. Your system might be infected, even you are not aware of. You might have stored the link somewhere where software can access it ... No real facts can be provided, only speculations and opinions - which makes it off-topic. — Steffen Ullrich, Sep 23 '21 at 16:37
I'm far from a Django expert, but when I last developed a Django based site I inherited, I found Django generates a lot of code you may not notice or may have been commented out. Check all of the site source! — user10216038, Sep 23 '21 at 23:18
I voted to close the question, because with the limited information provided we can only guess. Answering the questions raised in the comments and editing that information into the question might help to provide enough clues to make the question answerable. — Philipp, Sep 24 '21 at 08:07

score 2 · Answer 1 · answered Sep 24 '21 at 11:29

I know someone accessed it because I can see some other IP accessing it in the nginx log

This is the most important thing, and you left out the single information that would help us: who accessed it.

There are lots of actors that could have accessed it from your own computer. For example, Chrome can submit the full URL to Google:

If you have turned on "Make searches and browsing better / Sends URLs of pages you visit to Google” and Safe Browsing is enabled, Chrome sends Google the full URL of each site you visit to determine whether that site is safe. ^source

Your antivirus can do the same. They usually install an extension on the browser to submit the URL to them, so they can download and scan the contents of the site.

Other browser extensions can do the same to do whatever the extension is design to do.

So the key for this is to get the IP of the mysterious visitor and use online tools to get more information. Depending on the results, you can pinpoint exact the kind of actor is behind the IP and what product sent your admin URL to them.

Other possibility is that your site leaks the URL somehow. You can use a web spider (wget --mirror for example) to download all HTML/js/CSS from your site, and use grep to look for leaks.

And as a sidenote, using only a secret URL to protect an admin page is unsafe. Use a proper password, or better: a client certificate.

As always: System security should not depend on the secrecy of the implementation or its components — 4d4143, Oct 20 '21 at 15:57
There is a name for this. Security by Obscurity. It is not secure at all. — Nelson, Jan 28 '22 at 04:56

score 1 · Answer 2 · answered Sep 24 '21 at 05:47

1

Maybe your admin panel redirected to some website and leaked URL in the referer header

answered Sep 24 '21 at 05:47

Mukul Malviya

27
2

score 1 · Answer 3 · answered Sep 24 '21 at 09:28

Try scanning your website using OWASP ZAP, Nikto or something similar, you may find out what leaked that URL.

I faced something similar and found out that the path was part of a JS, and thus got leaked.

Also check: HTML, CSS, JS comments, developers leave some important stuff there while coding.

Someone found an obfuscated path on my website. Is this possible without hacking my site?

3 Answers3