BIPI
BIPI

Wayback Machine Recon: Endpoints, Parameters, Forgotten Tech

Cybersecurity

The Wayback Machine remembers what the app forgot. Mine archived URLs for endpoints, parameters, and abandoned tech that still answers in production.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 24, 2023 · 8 min read

#bug-bounty#wayback#gau#waybackurls#recon

Old URLs, new bugs

Engineers ship features, then quietly retire them. The route stays in the codebase, the archive remembers it, and sometimes the production server still answers. That gap is where Wayback recon pays.

Collect everything

  • waybackurls target.com for archived URLs
  • gau target.com for a broader pull including Common Crawl and OTX
  • Filter by extension to find .php, .asp, .jsp paths on modern apps
  • Filter by parameter name to spot legacy params still in use

Merge and dedupe. The raw output will be huge. The point is not to read all of it. The point is to query it with grep when you have a hypothesis.

Probe what is still alive

  1. Pipe the URL list through httpx with -mc 200,301,302
  2. Save responses that look out of place against the current stack
  3. Look for old admin paths, debug endpoints, file upload handlers
  4. Note any URL with sensitive looking params still returning data

What to look for

  • Legacy upload handlers that survive past their UI
  • Old API versions that lack the auth checks the new version added
  • Debug routes left behind by a removed feature flag
  • Marketing redirect endpoints with open redirect potential
  • Old static files that reveal internal hostnames or build paths

Build a parameter dictionary

Wayback URLs are a perfect parameter source. Extract every key from every query string, sort by frequency, and feed the result into Arjun for active mining. Target tuned param lists beat generic ones every time.

Quick stats

10 to 50x
more URLs than current crawl
Years
of forgotten features
Free
no rate limits worth worrying about

Common pitfalls

  • Treating every archived URL as in scope, always confirm against policy
  • Hammering live endpoints because the archive listed them
  • Skipping non text responses, sometimes old binaries leak
  • Forgetting to retest after a redesign, archives quickly outgrow them
The fastest way to find a bug a hundred other hunters missed is to ask the app what it used to be.

Make it routine

Run Wayback recon at the start of every new program and once per quarter on long term targets. The archive grows. New old URLs appear. Hunters who treat it as a living dataset keep finding bugs years into a program's life.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.