Find path of file on website with randomized string in it


Users have the possibility to upload a sensitive personal file to a specific website. After uploading, only the user himself and the administrator of the website have the ability to download the file again.

All files of any user are uploaded to the following folder: https://example.com/folder/uploads/.

Before a file is uploaded, it gets renamed to <<username>>.docx.

So for Foo the path would be: https://example.com/folder/uploads/foo.docx and for Gux it’d be https://example.com/folder/uploads/gux.docx.

As you can see, this is not safe at all. Foo could simply examine the download link, and replace his own name in the file-path with the username of other users to download their files.

So to prevent this, the web-developer did the following: Before a file is uploaded, a random string of 15 characters gets prepended to the filename. This random string is different for each upload.

For Foo this would be for example https://example.com/folder/uploads/heh38dhehe83ud37_foo.docx and for Gux https://example.com/folder/uploads/abcnjoei488383b22_gux.docx.

When Foo examines the download-url, he will know in which folder all the files are stored. But there is no way that he could guess the random string that is prepended to Gux’ file. The random string actually functions as a 15-character long password.

In all directories an index.html-file is placed so the directory content does not get listed.

If Foo still wanted to download other users their files, how would he do that? I’m looking for a way Foo would do this by forming a specific URL or HTTP-request. Breaching the server or database is a correct answer but not the kind I’m looking for.

TL;DR: How to find the path of a file on a public website with a unique and randomized string in it? You know the path to the upload-folder, but there is a index.html-file there so you can’t see the content.