← all plays

Discovery

Find a website's hidden pages

A company's homepage shows you what it wants you to see. But most companies have a whole other set of pages that aren't linked from the menu anywhere. A customer login. A status page. An old microsite they forgot about. That's often where the interesting stuff lives. The technical name for hunting these down is subdomain enumeration, and it's easier than it sounds.

Here's the surprising part: companies publish a list of these pages themselves, usually without realizing it. You just have to know where the list is.

The free public record

Every time a website turns on the little padlock in your browser (the security certificate), that gets written into a public log. The web address is right there in the log. So every company has basically published a list of its own pages, one entry at a time, every time it secured one. There's a free site that lets you search this log. One look, dozens of pages, no cost.

# the public log of a site's pages search crt.sh for: thecompany.com # every page that ever got the padlock shows up

Then fill in the gaps

The log misses a few. You can catch the rest by checking the obvious guesses. Most companies use the same predictable names for their hidden pages (login, app, help, careers, and so on). You run down a list of common ones and keep the ones that actually exist. There are free tools that do this whole step for you.

Keep only the live ones

A page being listed doesn't mean it's still up. The last step is a quick knock on each door to see which ones answer. What's left is a real map of the company's web presence, including the parts that aren't in any menu.

hidden_pages.csv · 7 of 43
Page foundFound viaWhat it looks like
app.thecompany.comlogthe actual product login
staging.thecompany.comguessa test copy of the site
help.thecompany.comlogsupport docs
status.thecompany.comloguptime page
careers.thecompany.comlogopen roles (org clues)
old.thecompany.comguessan abandoned old site
portal.thecompany.comlogcustomer login
log + guesses merged · names made upall checked live

A word on staying clean

Done right, this is just reading public records and knocking politely to see what's open. It's the same first step a security researcher takes, pointed at finding information instead of weaknesses. Don't go poking at anything that's clearly meant to be private, and you're on solid ground.

How it works under the hood

What it uses

The log
crt.sh, free public record
The guesses
Common page-name lists
The knock
A quick check of each one
Keep
Only the pages that answer

Worth knowing

Listed isn't live
Always check which ones still respond.
Go gentle
Space out the requests. Don't hammer.
Some catch-alls
A few sites answer to everything. Spot those.
Stay public
Read what's open. Leave private alone.

Need a company's full map?

Give me a website. I'll map all of it.

You'll get every live page, including the ones not in the menu, and what each one is.

DM me @chris_as_is Send me the details

Free to do yourself. All the plays are right here.

Keep going

Footprinting
Build a competitor's customer list
Behind the scenes
Get the data a site loads behind the scenes
The workhorse
Turn any website into a clean list
The flagship
See what software any business runs