Arashad Dodhiya

Posted on Jun 1

How Hackers See a Website (Hint: Not Like You Do)

#cybersecurity #websecurity #webdev #architecture

Open your favorite website.

Maybe it's a social media platform.

Maybe it's an online store.

Maybe it's your bank.

What do you see?

Probably something like this:

www.company.com

A homepage.

A login button.

A few menus.

Some images.

Maybe a search bar.

That's what most people see.

But security researchers see something completely different.

The Same Website, Different Eyes

Imagine two people looking at the exact same website.

A normal user sees:

www.company.com

A security researcher sees:

CDN
WAF
Load Balancer
API
Backend
Database
Authentication System
Cloud Infrastructure

The website hasn't changed.

The way they're looking at it has.

One sees a webpage.

The other sees an entire ecosystem.

Think of a Website as a City

Most visitors only see the front gate.

They enter.

They do what they came to do.

Then they leave.

But if you were asked to secure the entire city, the front gate wouldn't be enough.

You would need to know:

How many entrances exist
Where the security checkpoints are
How traffic is routed
Where important information is stored
Which buildings are connected to which systems

Modern websites work the same way.

What appears to be a single website is often dozens of interconnected systems working together.

The Homepage Is Usually the Least Interesting Part

When someone visits:

www.company.com

they assume that's the website.

In reality, that's often just the beginning.

Behind it might be:

api.company.com
auth.company.com
cdn.company.com
blog.company.com
admin.company.com

Each system serves a different purpose.

Each system expands the organization's attack surface.

And each system introduces new opportunities for mistakes.

The First Question: What's Behind the Website?

Most users ask:

"What can this website do?"

Researchers ask:

"How does this website work?"

Those are very different questions.

To answer that second question, researchers start mapping the architecture.

Is There a CDN?

Many websites sit behind a Content Delivery Network (CDN).

The CDN helps deliver content faster by serving users from locations closer to them.

To a normal visitor:

Fast website

To a researcher:

Interesting...
What is the actual origin server?

Because sometimes the infrastructure behind the CDN reveals more than the website itself.

Is There a WAF?

Most large organizations protect their applications with a Web Application Firewall.

Think of it as a security guard standing at the entrance.

A normal user never notices it.

A researcher immediately starts thinking:

What is filtering requests?
How strict is it?
What can it detect?

Because understanding the defense is often part of understanding the application.

Is There a Load Balancer?

Large websites rarely run on a single server.

Traffic is distributed across multiple systems.

To a normal user:

Website works.

To a researcher:

How many servers exist?
Are they all configured the same way?

Sometimes they aren't.

And interesting things can happen when different servers behave differently.

Where Is the API?

This is where things get interesting.

Most modern applications are powered by APIs.

When you:

Log in
Like a post
Send a message
Add an item to a cart

there's usually an API involved.

The page you see is often just a visual layer.

The real functionality lives underneath.

Researchers spend a lot of time looking for hidden endpoints, undocumented functionality, and unexpected behavior in APIs.

Because that's where many vulnerabilities are found.

What Does the Backend Do?

The frontend is what users see.

The backend is what makes decisions.

For example:

Can this user log in?
Can they access this data?
Can they delete this record?

Every action eventually reaches backend logic.

This is where authorization checks, business rules, and application behavior live.

When researchers study an application, they're often trying to understand how the backend thinks.

Where Is the Data Stored?

Every application stores information somewhere.

That information could include:

User accounts
Messages
Orders
Payments
Personal data

Researchers don't just ask:

"Where is the data?"

They ask:

"Who should be allowed to access it?"

Many serious vulnerabilities happen when applications answer that question incorrectly.

Security Starts With Understanding

One of the biggest misconceptions about cybersecurity is that it's all about tools.

It isn't.

Tools help.

Understanding comes first.

Before finding vulnerabilities, researchers learn how systems are connected.

Before testing security, they learn how the application works.

Before identifying weaknesses, they map the environment.

Because you can't meaningfully assess something you don't understand.

The Mindset Shift

The biggest difference between a user and a security researcher isn't technical knowledge.

It's curiosity.

A user asks:

"Can I use this website?"

A researcher asks:

"How does this website actually work?"

That single question changes everything.

Suddenly a website is no longer a webpage.

It's an architecture.

It's an ecosystem.

It's a collection of interconnected systems making decisions every second.

And once you start seeing websites that way, you'll never look at them the same way again.

Final Thoughts

Most people see a website.

Security researchers see layers.

They see infrastructure.

They see APIs.

They see authentication systems.

They see databases.

They see trust boundaries.