## Approaches to Address Issue 1 - Non-standard URLs

First, if the web server is mis-configured and allows directory browsing, it may be possible to spot these applications.
Vulnerability scanners may help in this respect.

Second, these applications may be referenced by other web pages and there is a chance that they have been spidered
and indexed by web search engines. If testers suspect the existence of such hidden applications on www.example.com
they could search using the site operator and examining the result of a query for `site: www.example.com` . Among the
returned URLs there could be one pointing to such a non-obvious application.

Another option is to probe for URLs which might be likely candidates for non-published applications. For example, a
web mail front end might be accessible from URLs such as https://www.example.com/webmail ,
https://webmail.example.com/ , or https://mail.example.com/ . The same holds for administrative interfaces, which
may be published at hidden URLs (for example, a Tomcat administrative interface), and yet not referenced anywhere.
So doing a bit of dictionary-style searching (or “intelligent guessing”) could yield some results. Vulnerability scanners
may help in this respect.

## Approaches to Address Issue 2 - Non-standard Ports

It is easy to check for the existence of web applications on non-standard ports. A port scanner such as `nmap` is capable
of performing service recognition by means of the `-sV` option, and will identify http[s] services on arbitrary ports. What
is required is a full scan of the whole 64k TCP port address space.

For example, the following command will look up, with a TCP connect scan, all open ports on IP `161.117.236.154` and
will try to determine what services are bound to them (only essential switches are shown – nmap features a broad set of
options, whose discussion is out of scope):
```shell
nmap -Pn -sT -sV -p0-65535 161.117.236.154
```

```plaintext
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 17:18 CST
Nmap scan report for 161.117.236.154
Host is up (0.062s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 163.56 seconds
```