Creating A Hidden Website

Just a quick tutorial to explain how you can create a hidden website, this means you can have a website hidden within another website or a website that nobody can even view without knowing the secret.

 

Now this method can be used to add additional security say to your administration panel for your site, basically even if someone were able to brute force the admin password they would still need to know this trick to access the admin panel.

 

We are going to be playing around with your browsers user agent information. This is basically information available to a server telling it what web browser you are using and it's version number etc. A basic firefox user agent would be like so:

 

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.11) Gecko/20100701 Firefox/3.5.11 (.NET CLR 3.5.30729)

 

Now for this tutorial we will be using the latest version of firefox, and you will also need to download an add-on called User Agent Switcher which you can download here

 

Once you have downloaded and installed this add-on, in firefox go to Tools -> Default User Agent -> Edit User Agents

 

Next click on the "New" button then on "New User Agent..." and you will get a screen like this:

 

 

Now we want to set the description to something like "Secret Website", and for this tutorial change the User Agent field to "opensesame".

 

Excellent, we have now created our new means of accessing our secret website.

 

Now we are going to write a php file with our code in it. This is very simple to do. The following code will either display our secret website, or if our user agent isn't set right it will redirect the user to google.com instead.

 

<?phpif ($_SERVER['HTTP_USER_AGENT'] == 'opensesame'){echo 'Well done, you have found the cookies!';}else {header('Location: http://google.com;

That's it, now upload your php file and first try to access it using your default user agent. You will find you can't, instead it just loads google. Now if you click on Tools -> Default User Agent -> Secret Website then this will change your user agent over to the new "opensesame" value. If you try opening the web page again then you will see the echoed message.

 

If you don't have a server to try this out on, I have uploaded a copy of the php file to http://forums.xisto.com/no_longer_exists/ so you can still give it a go.

 

If you want to hide a completely different website inside another website that is simple to do as well. In every page of your site have the above php code, except have your hidden site where the echo currently resides and have the public site in the else statement. Nobody will know it is there unless you tell them it is. You can also change the phrase "opensesame" to anything you want.

 

I had this idea for hiding web pages when I was messing around with css files, using php to determine the browser so I could provide a more compatible browsing experience (we all know the pains of css and html when it comes to firefox and internet explorer). I had been using the user agent switcher add-on as part of my testing and it suddenly hit me that it could be used as an additional layer of security for your website. Not very practical for average users, I mean who wants to sign up to a website where you have to mess around with all that stuff just to access it, but excellent for hiding your admin panels and creating entirely hidden web pages from the public eye (for secret societies and highly sensitive data).

 

Don't forget when not accessing your secret website to change your user agent back to the default otherwise it may interfere with other websites.

Wow, this is really a great idea to add to the security, it's almost impossible for someone to know what kind of user agent you're using, even more better way would be to use it encrypted with md5, sh1 or your own variation of it, that someone in the php script code couldn't know the string value of the user agent for the browser.. Really i nice idea :)I think I will try to use it practically, just that it would be strange to always change the user agent ;]Another way to make your site a little bit more secure.. is to hide your files..I usually use an index.php file in the public_html folder and all the images, javascript, css files in it, but all the other files I put in private_html which are included from the script.

Yet another one of your tutorials keep it up man these are great! Good luck with Future tutorials i can't wait have you got a game website of your own or something what websites do you have?

I'm writing an online game but it's still quite some time from being finished, hopefully though I'll be a signing a massive sponsorship deal for one of my new sites (top secret) which should give me the cash to get my new web development and design company off the ground.

I have to say that I really like this idea. The security guy in me wonders if security through obscurity is best, but I canât really find a problem with this scheme. As long as there are no exploits in the PHP script and youâre the only one that knows the correct string, itâs almost like having a shared secret key. I would still prefer AES or better encryption but this actually sounds like a really decent quick and dirty way of hiding a site.

 

I would also recommend making a nice long and nasty string similar to a good password. This way, even if an adversary were aware of your scheme, it would take them a very long time to actually break the code. I can guarantee that âopensesameâ is in every password list known to exist; right next to Admin, sex, god, password, 1234, and abcde.

 

As a note, I would highly recommend you only change the user agent for your site only. I have seen several articles over the past year that shows your user agent HTTP field is very unique and can even be able to track you. Even better than an IP address or Flash cookies.

 

You can test your browser at https://panopticlick.eff.org/ (hosted by the EEF) and read about the Panopticlick project at http://forums.xisto.com/no_longer_exists/. Some more at http://arstechnica.com/tech-policy/

Well in reality it would be impossible to even know if the hidden site exists or not, and what page the access point is hidden on. The only way to tell would be if you could access the php files directly on the server to view the code.Theoretically it would be possible to write a program to run through the possible permutations until it finds a string that displays a different html output, however that could take a lifetime as you would also have to find the page it works on and wouldn't know if it existed or not until they broke the string.