A computer-implemented method includes: generating a first list of uniform resource locators (URLs) available on a page when accessed using privileged credentials; storing one or more first URL outputs associated with the first list of URLs including the content of webpages accessed using the privileged credentials; generating a second list of URLs when accessed using non-privileged credentials; generating a third list of URLs, wherein the third list of URLs includes URLs included in the first list of URLs and not included in the second list of URLs; storing a second URL output including content of a webpage mapped to a particular URL in the third list of URLs when the particular URL is accessed using the non-privileged credentials; determining that the second URL output matches a particular first URL output associated with the particular URL; and outputting an alert identifying that the webpage is accessible by an unauthorized user.