| exploits


AWStats is an open source Web analytics reporting tool, suitable for analyzing data from Internet services such as websites.”

Some system administrators allow access to Awstats log files:

inurl:/awstats/data/ filetype:txt inurl:com

Awstats log files include visitor stats:

  • Visited web paths
  • Referer / User-Agent
  • IP addresses
  • Error logs

From these we can discover:

  • Sensitive files / directories on the webserver
  • Sensitive files / directories in the referrer header
  • Webserver error logs may reveal PHP bugs


To automate the process of parsing large Awstats log files, use awstats.py.

$ python awstats.py awstats012016.example.com.txt

awstats log inspection on awstats042013.example.com.txt

[*] Searching for interesting access logs
[password] /Licensing2/secret_password.html
[password] /Licensing1/secret_password.html
[*] Finished

use the --ref flag to find ‘Referer’ header values.