Use of obscure URL for security

All we need is an easy explanation of the problem, so here it is.

My hosting provider is offering an infrastructure-as-a-service (IaaS) product administered via a web interface, where the administrator can create and destroy virtual machines.

To access the web-based administration portal, I need to log in to the hosting provider’s “service desk” (username & password over HTTPS), and then click on a generated link to access the IaaS administration portal (also HTTPS).

The link itself is most likely unguessable (it includes what looks like an md5 hash and 2 GUIDs), but anyone with access to that URL will have unrestricted access to the IaaS portal for several hours (the link seems to expire after that time).

I have tested that access via the link is not restricted to my specific IP address.

In short, anyone with the link could delete all of the VMs and my client’s data, provided they get access to it within a couple of hours of it being generated.

Is this inadequate security for something like an IaaS portal (my gut feeling says no)? What specific concerns can I raise with the hosting provider?

I know that this question is similar to Is including a secret GUID in an URL Security Through Obscurity?, but that question relates to low-level HTTP clients, not browsers, which introduce additional concerns, like URL leaking, browser history, caching, etc.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

The problem with secret URLs is that they can be leaked in a variety of ways.

Images, Javascript, Stylesheets, and fonts can leak the URL of the webpage you are visiting. For example, if your secret page includes something like <img src="" /> then when your browser grabs the image it may include the URL to the secret page in the Referer header. There are some use cases (https to http traffic, or browser overrides) that will prevent the browser from sending the header, but generally, this is a common way for your secret URL to be leaked.

While you can watch your own network traffic (use the “network profile” feature in Chrome or Firefox) when loading the page to see whether the URL is leaked, the main concern is that any change in the page could introduce a leak.

Two high profile cases of leaked secret URLs include Google Docs and Dropbox.

Is this inadequate security for something like an IaaS portal?

As I mentioned above, you could use the network profile feature of your browser to test whether the page is leaking the URL. However, the biggest concern is the fragility of this system. Unlike something like a password, the user has no control over the web page implementation, and accidentally including an external resource in a style sheet is far too easy. This isn’t to say the system is insecure, just that it is a bit fragile.

If I were using the IaaS portal, I would ask that they include an additional access control mechanism beyond a URL that is easily leaked.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply