Show HN: A tool that alerts when 404s silently return 200)

https://heberjulio65.medium.com/when-an-404-suddenly-turns-200-and-you-didnt-knew-b35e474df44b

2•kurogai•6mo ago

Hey HN,

I recently ran into a scenario where a page that used to return a 404 suddenly started returning 200 — without warning. This led to the discovery of a forgotten admin endpoint being accidentally reactivated.

I wrote a short post about this issue and how it can surface subtle security or logic flaws.

Along the way, I built a small tool (ReconSnap) to help monitor this kind of thing — basically, it tracks web changes, auto-saves pages, and can react to specific conditions like status code flips, keyword appearance, or DOM mutations. It’s aimed mostly at security folks, OSINT researchers, and curious developers.

I realize this may seem like a bit of a promo, but I genuinely use it myself and figured it might be useful to others too. Feedback is welcome!

Here’s the post: https://medium.com/@heberjulio65/when-an-404-suddenly-turns-...

Comments

bubblebeard•6mo ago

Interesting, this is a problem I have never considered. Regarding DOM changes though, wouldn’t it make more sense to monitor files for unexpected changes instead?

kurogai•6mo ago

That makes sense — if you’re monitoring from within the system and have access to files directly, that’s definitely a more robust way to detect changes.

But my use case is more external-facing.

So the only thing you can rely on is what the browser sees — HTML, DOM, JS. In that context, unexpected DOM changes (like a hidden login form reappearing, or a 403 turning into a 200) can be quite telling.

What do you think?

bubblebeard•6mo ago

Ah of course, that makes sense then. What about dynamic DOM content though? Like content produced by PHP or similar. Is that filtered somehow or does this analysis expect static content?

Show HN: PaySentry – Open-source control plane for AI agent payments

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

The Crumbling Workflow Moat: Aggregation Theory's Final Chapter

Pax Historia – User and AI powered gaming platform

Show HN: I built a RAG engine to search Singaporean laws

Scams, Fraud, and Fake Apps: How to Protect Your Money in a Mobile-First Economy

Porting Doom to My WebAssembly VM

Cognitive Style and Visual Attention in Multimodal Museum Exhibitions

Full-Blown Cross-Assembler in a Bash Script

Logic Puzzles: Why the Liar Is the Helpful One

Optical Combs Help Radio Telescopes Work Together

Show HN: Myanon – fast, deterministic MySQL dump anonymizer

The Tao of Programming

Forcing Rust: How Big Tech Lobbied the Government into a Language Mandate

PanelBench: We evaluated Cursor's Visual Editor on 89 test cases. 43 fail

Can You Draw Every Flag in PowerPoint? (Part 2) [video]

Show HN: MCP-baepsae – MCP server for iOS Simulator automation

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

Show HN: Sem – Semantic diffs and patches for Git

Hello world does not compile

Show HN: ZigZag – A Bubble Tea-Inspired TUI Framework for Zig

Metaphor+Metonymy: "To love that well which thou must leave ere long"(Sonnet73)

Show HN: Django N+1 Queries Checker

Emacs-tramp-RPC: High-performance TRAMP back end using JSON-RPC instead of shell

Protocol Validation with Affine MPST in Rust

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Zest – A hands-on simulator for Staff+ system design scenarios

Show HN: DeSync – Decentralized Economic Realm with Blockchain-Based Governance

Automatic Programming Returns

Why Are There Still So Many Jobs? The History and Future of Workplace Automation [pdf]