Junior backend developer here, just got a task to do some pen test on our kestrel web server. And discovered that our web server is serving user uploaded files directly as a path in url like [www.foo.com/bar/6597f0f1c2da4f04aa3840e6c6633dfa20200601224101358](https://www.foo.com/bar/baz.jpg)[.jpg](https://www.foo.com/bar/baz.jpg).
That worries me a bit as it’s just available for the public, no session key or authentication is needed if the filename is known. However the filenames are hashed and is 49 characters long with a salted MD5 hash as prefix and suffixed by a timestamp.
I tried to do a simple directory traversing attack by adding ../ and such, which our server responds with 404/403. I’ve also tried to see if I can just wget with wildcard to download the files, which our server gives 404 as well.
Yet it still left me concerned, even tho it seems like it’s safe to a degree where a malicious user would need to brute force the 49 characters long filename to access files uploaded by others. But is this setup really safe?