Using Wget to download files in “members only†that require password [closed]
Clash Royale CLAN TAG#URR8PPP
up vote
-1
down vote
favorite
I am almost finished with our new web site and a customer of ours told me today about Wget. He went on to say if someone used Wget they can log in and download the files that we have in a "members only" area which requires a password too. Is this true? If so, what do we need to do or be on the look out for to stop anyone from doing this?
Cheers
security wget pdf
asked May 2 at 23:47
Harvey Specter
4
closed as too broad by G-Man, Romeo Ninov, Kiwy, njsg, Archemar May 3 at 13:10
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |Â
up vote
-1
down vote
favorite
I am almost finished with our new web site and a customer of ours told me today about Wget. He went on to say if someone used Wget they can log in and download the files that we have in a "members only" area which requires a password too. Is this true? If so, what do we need to do or be on the look out for to stop anyone from doing this?
Cheers
security wget pdf
asked May 2 at 23:47
Harvey Specter
4
closed as too broad by G-Man, Romeo Ninov, Kiwy, njsg, Archemar May 3 at 13:10
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41
add a comment |Â
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I am almost finished with our new web site and a customer of ours told me today about Wget. He went on to say if someone used Wget they can log in and download the files that we have in a "members only" area which requires a password too. Is this true? If so, what do we need to do or be on the look out for to stop anyone from doing this?
Cheers
security wget pdf
asked May 2 at 23:47
Harvey Specter
4
I am almost finished with our new web site and a customer of ours told me today about Wget. He went on to say if someone used Wget they can log in and download the files that we have in a "members only" area which requires a password too. Is this true? If so, what do we need to do or be on the look out for to stop anyone from doing this?
Cheers
security wget pdf
asked May 2 at 23:47
Harvey Specter
4
asked May 2 at 23:47
Harvey Specter
4
asked May 2 at 23:47
Harvey Specter
4
asked May 2 at 23:47
Harvey Specter
4
4
closed as too broad by G-Man, Romeo Ninov, Kiwy, njsg, Archemar May 3 at 13:10
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as too broad by G-Man, Romeo Ninov, Kiwy, njsg, Archemar May 3 at 13:10
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41
add a comment |Â
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
So, this sounds like a question about trying to stop people from duplicating your site.
Yes, wget can download all front-facing parts of a website with authentication.
However, it is possible in the same way that you can view the files. Your server doesn't care about if it's coming from wget, or it's from a browser, it serves the HTML to be viewed by the client. There is no security issue here, as no backend (PHP, etc.) code is touched - that is parsed and controlled by the server itself, and never allowed out.
Rambling on, here's an analogy. Your email account is "members" only, right? But you can save the HTML from it (ctrl+s/cmd+s), whereupon you'll get a saved version of the page, but with none of the functionality. So someone can't hack into your email account from a saved HTML file, in the same way someone can't hack from a screenshot (unless there's a password visible in the screenshot, etc.).
answered May 3 at 3:56
Eamonn Nugent
463
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
So, this sounds like a question about trying to stop people from duplicating your site.
Yes, wget can download all front-facing parts of a website with authentication.
However, it is possible in the same way that you can view the files. Your server doesn't care about if it's coming from wget, or it's from a browser, it serves the HTML to be viewed by the client. There is no security issue here, as no backend (PHP, etc.) code is touched - that is parsed and controlled by the server itself, and never allowed out.
Rambling on, here's an analogy. Your email account is "members" only, right? But you can save the HTML from it (ctrl+s/cmd+s), whereupon you'll get a saved version of the page, but with none of the functionality. So someone can't hack into your email account from a saved HTML file, in the same way someone can't hack from a screenshot (unless there's a password visible in the screenshot, etc.).
answered May 3 at 3:56
Eamonn Nugent
463
add a comment |Â
up vote
2
down vote
So, this sounds like a question about trying to stop people from duplicating your site.
Yes, wget can download all front-facing parts of a website with authentication.
However, it is possible in the same way that you can view the files. Your server doesn't care about if it's coming from wget, or it's from a browser, it serves the HTML to be viewed by the client. There is no security issue here, as no backend (PHP, etc.) code is touched - that is parsed and controlled by the server itself, and never allowed out.
Rambling on, here's an analogy. Your email account is "members" only, right? But you can save the HTML from it (ctrl+s/cmd+s), whereupon you'll get a saved version of the page, but with none of the functionality. So someone can't hack into your email account from a saved HTML file, in the same way someone can't hack from a screenshot (unless there's a password visible in the screenshot, etc.).
answered May 3 at 3:56
Eamonn Nugent
463
add a comment |Â
up vote
2
down vote
up vote
2
down vote
So, this sounds like a question about trying to stop people from duplicating your site.
Yes, wget can download all front-facing parts of a website with authentication.
However, it is possible in the same way that you can view the files. Your server doesn't care about if it's coming from wget, or it's from a browser, it serves the HTML to be viewed by the client. There is no security issue here, as no backend (PHP, etc.) code is touched - that is parsed and controlled by the server itself, and never allowed out.
Rambling on, here's an analogy. Your email account is "members" only, right? But you can save the HTML from it (ctrl+s/cmd+s), whereupon you'll get a saved version of the page, but with none of the functionality. So someone can't hack into your email account from a saved HTML file, in the same way someone can't hack from a screenshot (unless there's a password visible in the screenshot, etc.).
answered May 3 at 3:56
Eamonn Nugent
463
So, this sounds like a question about trying to stop people from duplicating your site.
Yes, wget can download all front-facing parts of a website with authentication.
However, it is possible in the same way that you can view the files. Your server doesn't care about if it's coming from wget, or it's from a browser, it serves the HTML to be viewed by the client. There is no security issue here, as no backend (PHP, etc.) code is touched - that is parsed and controlled by the server itself, and never allowed out.
Rambling on, here's an analogy. Your email account is "members" only, right? But you can save the HTML from it (ctrl+s/cmd+s), whereupon you'll get a saved version of the page, but with none of the functionality. So someone can't hack into your email account from a saved HTML file, in the same way someone can't hack from a screenshot (unless there's a password visible in the screenshot, etc.).
answered May 3 at 3:56
Eamonn Nugent
463
answered May 3 at 3:56
Eamonn Nugent
463
answered May 3 at 3:56
Eamonn Nugent
463
answered May 3 at 3:56
Eamonn Nugent
463
463
add a comment |Â
add a comment |Â
If someone can log in, they can download files, right? Being able to log in seems to imply having passwords. So I'm not sure what the question is about. Basically, everything you can download with wget can be downloaded with a browser. The only significant difference is that with wget it's easy to bulk download tousands of files. The countermeasure here is throttling.
– Frax
May 3 at 0:34
If you can access files using URL without being log, it's maybe because of .htaccess or because your application is badly coded. but we can't help you without the web server configuration and the complete technical explanation which I do not advise you to put here as it could lead to sensible data leak for your company.
– Kiwy
May 3 at 7:41