During passive reconnaissance, a penetration tester downloads the publicly available sitemap.xml file for a target organization. The file lists only a handful of marketing pages, and no references to administrative or API endpoints are present. Which of the following BEST explains why relying only on this sitemap could cause the tester to miss additional attack surfaces?
Sitemap files may not contain URLs that reside deeper than two directory levels, so admin and API paths are automatically excluded.
The sitemap protocol requires every publicly reachable URL to be listed; if a path is missing it does not exist on the server.
Sitemaps are stored in an encrypted format that only search-engine crawlers can decrypt, so the tester's tools cannot read hidden entries.
Administrators typically include only the URLs they want indexed, so sensitive, legacy, or duplicate pages may be left out of the sitemap.
XML sitemaps are created by site owners (manually or through configurable generators). Best practice is to list only the canonical URLs that administrators want search engines to crawl. Pages that are sensitive, deprecated, duplicate, or otherwise not meant for public indexing are often deliberately omitted. Therefore, testers must supplement sitemap review with techniques such as directory brute-forcing or web crawling to discover resources that are not listed.
Incorrect answers are wrong because the sitemap protocol does not mandate listing every reachable URL, it does not prevent deeper paths or dynamic pages from being included, and sitemap files are plain XML-no encryption or home-page link requirement prevents their inspection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are publicly available lists of addresses?
Open an interactive chat with Bash
What are some additional methods to discover hidden resources?
Open an interactive chat with Bash
Why do administrators omit pages from public lists?