You ever get that sinking feeling when you realize you forgot something important? Like leaving the garage door wide open before heading out on vacation? That’s what cybersecurity often feels like—except instead of a neighbor texting you about your mistake, it’s an attacker quietly taking notes, waiting for the right moment to stroll in.

I’ve lost count of how many times I’ve been in a pre-sales call where a security team confidently says, “We have full visibility into our environment,” only for us to come back a few days later with a list of exposed assets they had no idea existed. And I get it—modern networks are sprawling, cloud resources spin up and down like a game of whack-a-mole, and mergers, acquisitions, and third-party integrations only add to the chaos. But that’s exactly why continuous visibility isn’t just nice to have—it’s mission-critical.

At Sprocket Security, we take a real-world, attacker-minded approach to uncovering these blind spots. Using a mix of OSINT (Open Source Intelligence), reconnaissance, scanning, and enumeration techniques, we piece together the full picture—domains, subdomains, IP addresses, services, DNS records, websites, and URLs, and whatever else might be hanging out there, exposed to the internet. And what we find? Let’s just say it ranges from “that’s an easy fix” to “wow, that’s bad.”

Below, we’re going to walk through some of the most common (and most surprising) findings, ranked from “mildly concerning” to “this could ruin your day.” Because in cybersecurity, small gaps tend to snowball into massive security risks—and I’d rather you find out from us than from someone with bad intentions.

Findings and Observations

Directory Listing Enabled (Low Severity)

Imagine walking past a storefront with an unlocked filing cabinet on the sidewalk. That’s essentially what directory listing does—it exposes files on a web server to anyone curious enough to look.

  • Risk: Attackers can browse unprotected directories and potentially access sensitive files or at minimum gain additional insight into the application infrastructure for more advanced attacks.
  • Tools Used: Tools like dirb, gobuster, or even a simple browser inspection can reveal directory listings.
  • Example: An unprotected webserver directory allowed access to backup files that provided detailed configuration information about the web application.

Publicly Available Sensitive Information (Low to Moderate Severity)

Organizations often unintentionally leave breadcrumbs of sensitive information scattered across the internet. These can be bits of source code, operational procedures, or even credentials hidden in public repositories.

  • Risk: Attackers use these details for reconnaissance, enabling more targeted attacks.
  • Tools Used: GitHub search, truffleHog, and manual inspections help locate exposed information.
  • Example: An API key found in a public repository allowed access to a client’s test environment.

Information Disclosure Through DNS Records (Moderate Severity)

DNS is like the phonebook of the internet, and sometimes, organizations unknowingly reveal too much through their DNS records.

  • Risk: Attackers can discover internal server names, email providers, and third-party vendors to craft phishing attacks or launch targeted exploits.
  • Tools Used: dig, DNSDumpster, nslookup, SecurityTrails, and Amass help enumerate DNS information.
  • Example: A DNS lookup exposed a naming convention that revealed customer names allowing attackers to target the customer’s instance of the application directly or through a phishing campaign, posing as the third-party SaaS provider.

Outdated or Unpatched Software (Moderate Severity)

Every day, security researchers uncover new vulnerabilities. However, if an organization fails to update its software, attackers can exploit known weaknesses with ease.

  • Risk: Version information is often very easy to obtain from service banners, error responses, and even job postings. Attackers can use publicly available exploits to compromise systems running outdated versions of software.
  • Tools Used: Nessus, OpenVAS, and Shodan scan for outdated software and known CVEs.
  • Example: A web server running an old version of Apache was susceptible to a remote code execution exploit.

Unsanitized HTTP Responses (Moderate to High Severity)

Web applications should be careful about the data they return to users, but some responses unintentionally leak excessive information.

  • Risk: Attackers can extract system details, backend software versions, and debugging information.
  • Tools Used: Web proxies like Burp Suite or OWASP ZAP can analyze HTTP responses.
  • Example: We often uncover password reset functions that disclose details about the validity of attempted usernames, making them susceptible to username guessing attacks.

Domain and Subdomain Takeovers (High Severity)

Imagine moving out of a house but forgetting to lock the door—this is what happens when organizations leave subdomains pointing to decommissioned services.

  • Risk: Attackers can claim abandoned subdomains and use them to host phishing sites or malicious content.
  • Tools Used: Sublist3r, Amass, and Aquatone help identify vulnerable subdomains.
  • Example: A forgotten apex domain was hijacked and used to distribute crypto mining malware.

Improperly Validated Form Fields and Arguments (High Severity)

Web forms should restrict user input, but many fail to do so properly, opening the door to injection attacks and data leaks.

  • Risk: Poor input validation enables attackers to manipulate requests and extract unauthorized data.
  • Tools Used: SQLmap, Burp Suite, and manual testing.
  • Example: A search field accepted wildcard characters (%%%), unintentionally exposing the company’s entire client list as well as their dedicated application portal.

Exposed Secrets, Keys, and Credentials (Critical Severity)

Leaving access keys exposed online is like taping your house key to the front door—anyone can let themselves in.

  • Risk: Immediate compromise of cloud services, databases, or APIs.
  • Tools Used: truffleHog, git-secrets, and GitGuardian help locate exposed credentials.
  • Example: A hardcoded API token in a JavaScript file allowed access to sensitive customer data.

Firewall Misconfigurations (Critical Severity)

Firewalls are meant to protect critical services, but when misconfigured, they can expose dangerous entry points.

  • Risk: Exposed services like RDP (port 3389) and MySQL (port 3306) are common targets for attackers.
  • Tools Used: nmap, masscan, Legion, and Nessus.
  • Example: A misconfigured firewall left RDP open to the internet, inviting brute-force attacks.

Conclusion


The thing about security is that it’s never really “done.” You can patch today, lock things down, and feel pretty good about your defenses—only for something new to pop up tomorrow. Maybe it’s an old staging server someone forgot about, a cloud misconfiguration, or a credential that accidentally made its way into a public repo. It happens. The internet is a wild place, and attackers are always out there, shaking the trees to see what falls.

I’ve seen teams put in a ton of work, thinking they had everything locked down, only for an external assessment to turn up something unexpected. And that’s not a failure—it’s just reality, and evidence that risk-based approaches are essential. Security isn’t about winning some final boss fight; it’s about constantly adapting, staying ahead, and making sure you’re the hardest target on the block. The companies that do that well aren’t the ones who just react to problems—they’re the ones who actively go looking for them before an attacker does.

At the end of the day, there’s no magic fix. No silver bullet. But staying curious, staying vigilant, and treating security as an ongoing process instead of a box to check. That’s how you stack the odds in your favor.