Validates sensitive URLs return proper HTTP status codes (401/403/404)
A comprehensive URL protection validation checker that analyzes whether sensitive URLs are properly secured and return appropriate HTTP status codes for unauthorized access. Supports platform-specific validation for Liferay and generic protection checking for common sensitive URL patterns like /admin, /api, /dashboard, etc.
This checker validates that sensitive URLs are properly protected and return appropriate HTTP status codes when accessed without authentication or authorization.
Tests common sensitive URL patterns: /admin, /api, /dashboard, /control_panel, /manage, /config, /settings, /setup, /install, /backup, /logs, /debug, /internal, /private, /secure, /system, etc.
Validates that these URLs return HTTP status codes 401 (Unauthorized), 403 (Forbidden), or 404 (Not Found) for unauthenticated requests
Liferay Integration: Automatically detects Liferay in the software stack and tests Liferay-specific sensitive URLs:
/group/guest/~/control_panel/manage (Control Panel)
/o/api (API endpoints)
/api/jsonws (JSON Web API)
/c/portal/json_service (Portal JSON Service)
Extensible Architecture: Ready for future WordPress, Drupal, and other platform-specific implementations
Ensures public URLs return 200 with appropriate content
Validates consistent protection behavior across similar URL patterns
Checks for information disclosure in error responses
| Status | Description | Test Logic |
|---|---|---|
| SUCCESS | All sensitive URLs are properly protected | - Protected URLs return 401, 403, or 404 for unauthenticated requests - Public URLs return 200 with appropriate content - Consistent protection behavior across similar URL patterns - No information disclosure in error responses |
| WARNING | Some URLs have protection issues or inconsistencies | - Mixed protection: some URLs protected while others with similar patterns are not - Inconsistent status codes for similar URL patterns - Partial protection: some sensitive URLs protected while others are exposed - Redirects (302) instead of proper authentication errors |
| FAIL | Critical URLs are exposed or improperly protected | - Sensitive URLs return 200 with content when they should be protected - Information disclosure: protected URLs return detailed error messages revealing system information - No protection: critical admin or API endpoints are publicly accessible - All sensitive URLs return the same unprotected status |
totalUrlsTested: Number of sensitive URL patterns tested
protectedUrls: List of properly protected URLs with their status codes
unprotectedUrls: List of exposed URLs that should be protected
inconsistentUrls: List of URLs with inconsistent protection behavior
errorUrls: List of URLs that returned errors during testing
platform: Detected platform (Liferay, Generic, etc.)
protectionScore: Percentage of properly protected URLs
Exposed Admin Panels: Unprotected administrative interfaces allow unauthorized access to sensitive functionality
API Endpoint Exposure: Unsecured API endpoints can be exploited for data extraction or system manipulation
Information Disclosure: Detailed error messages may reveal system architecture, versions, or internal paths
Unauthorized System Access: Unprotected system URLs can lead to configuration changes, backups access, or system manipulation
Data Breaches: Exposed admin panels can lead to unauthorized data access or modification
System Compromise: Unprotected URLs can be entry points for attackers to gain system control
Compliance Violations: Inadequate URL protection may violate security standards and regulations
Reputation Damage: Security incidents resulting from exposed URLs can damage organizational reputation
Brute Force Attacks: Attackers can systematically test common URL patterns
Directory Traversal: Unprotected URLs may allow access to sensitive directories and files
Privilege Escalation: Exposed admin interfaces can be used to escalate privileges
Information Gathering: Detailed error responses help attackers understand system architecture
Add this checker to your monitoring setup and start identifying issues on your websites today.