An overview of tests provided by snallygaster:
These tests are enabled by default and usually output information that directly leads to potential vulnerabilities.
This checks for Lazy File Manager, a one-file php script that allows arbitrary file operations. It is often placed on compromised webpages.
Configuration file for JetBrains, can contain passwords.
Database configuration file (databases.yml) used by older versions of Symfony. These aren't supposed to be stored within the web root, but sometimes they are.
Database configuration file (database.yml) used by Ruby on Rails. Misconfigurations can cause these to be readable.
When deploying web pages with a Git repository the .git directory may end up being publicly readable. This allows downloading the full repository.
- Internetwache: Don't publicly expose .git or how we downloaded your website's sourcecode
- Golem.de: Riskante Git-Verzeichnisse
- GitTools - scripts to download .git directories
- git-dumper - script to download .git dir, faster than GitTools
Identical to git_dir issue, just with Subversion instead of Git.
Apache server-status pages. These can contain visitor URLs and IP addresses of visitors.
Apache server-info pages. These can contain visitor URLs and IP addresses of visitors.
- apache.org: Apache Module mod_info
- Heise.de: Webserver-Sicherheitslücke: Heikle Konfigurations- und Statusdaten publiziert
Crashing processes on Linux and other unix systems can leave a memory dump file named "core" that may leak information like passwords.
Configuration file from the FTP client sublime FTP (sftp-config.json). It turns out sometimes people accidentally upload the configuration file of their FTP client, including credentials for their web space.
Similar to sftp_config, but for WS_FTP.
Similar to sftp_config, but for FileZilla.
Similar to sftp_config, but for WinSCP.
The Apple OS X file manager Finder creates these files. They may leak directory and file names.
- Internetwache: Scanning the Alexa Top 1M for .DS_Store files
- ds_stope_exp (recursively download .DS_Store files)
Cache file from PHP-CS-Fixer, a codingstyle checker for PHP. This effectively leaks a directory listing of PHP files. Supports both v2 and v3 formats.
Backup files and other leftovers from editors. Many editors create files with a ~ or
.bak extension when overwriting a previous version. VIM creates swap files of the scheme
.[filename].swp. On crashes EMACS creates #[filename]#. All of these are
particularly problematic in combination with PHP, as a file that may contain secrets
will end up on the webspace without a .php extension and thus won't be parsed.
Complete or partial backups of servers are sometimes left online. This test checks for common names like backup.tar.gz.
The editor JOE creates a file DEADJOE on crashes, which contains content of the currently edited files. Similar to backupfiles.
This checks for common names of SQL database dumps. These can lead to massive database leaks.
This scans for bitcoin wallets (wallet.dat) left on servers. While this is rare, obviously leaking those can come at a high cost.
The Drupal backup_migrate plugin stores backups of the CMS database in the web folder. Access is prevented with an Apache .htaccess file, but that does not work on other web servers.
Magento is a PHP web store that saves its config (including database credentials) in an XML file called "local.xml". Access is prevented with an Apache .htaccess file, but that does not work on other web servers.
xaa files are the output of the "split" command line tool on Unix systems. It's used to split large files. As large files often contain lots of data these may lead to large leaks (similar to sql_dump).
A test for the Optionsbleed vulnerability, in which Apache corrupts the "Allow" header in a reply to an HTTP OPTIONS request.
Checks for private keys, usually belonging to TLS/X.509 certificates.
Similar to the privatekey check this looks for SSH private keys on web servers.
This looks for Laravel ".env" files that may contain database credentials.
This checks all src-references on a webpage's HTML and looks for inaccessible references. These may indicate domain takeover vulnerabilities. This test produces warnings quite often, though many of them are harmless: References to deleted files or simply syntax errors in URLs.
This checks installations of the Ilias e-learning software for the presence of a default username/password (root/homer). Ilias was involved in the 2018 hack of the German government, though it's unclear what vulnerability was used.
The cgiecho tool is part of the unmaintained software cgiemail. It contains a
vulnerability where it allows leaking arbitrary files from the web root if they contain
any guessable string in square brackets (e.g. ['password']).
Tests for a remote code execution vulnerability in a script shipped with older versions of phpunit that will simply pass the POST data to PHP's eval.
Tests if there's an ACME API endpoint that reflects content and can be abused for XSS. Outputs acmereflect_html if the API also reflects HTML code, acmereflect_html_sniff if it outputs HTML code and does MIME sniffing.
Misconfigured Drupal installations may expose their SQLite database.
Tries to trigger a PHP warning with an invalid PHPSESSID.
adminer is a one file php database frontend. (I may consider changing this to an info test, but for now I believe most of these are not intentionally publicly available, though they often have login forms.)
Public error console for the ELMAH library. This can contain cookies and other sensitive pieces of information, it shouldn't be accessible from outside.
Check for the Citrix CVE-2019-19781 RCE / directory traversal.
- Vulnerability in Citrix Application Delivery Controller and Citrix Gateway
- Citrix NetScaler CVE-2019-19781: What You Need to Know (Tripwire VERT)
Search for unused installers of common PHP web applications. In most cases a stale installer can be used for code execution by installing the application and uploading a plugin.
Search for unused Wordpress installers in /wordpress/ subdir.
Search for publicly accessible instances of the Laravel Telescope software. This allows seeing detailed HTTP requests, including Cookies, and thus should never be accessible in production.
vb_test.php is a script provided by the proprietary Vbulletin software that allows webmasters to check server requirements. It should not be left on live hosts.
This tries to inject an url-encoded newline and HTTP header into the URL. This often works on redirections if the host decodes the path and passes it to the location header.
Publicly accessible debug.log file from Wordpress, contains usually PHP error messages, sometimes with sensitive data like passwords in stack traces.
Image metadata from old Windows versions, may leak file names and thumbnails.
Find leftover installer.php / installer-backup.php files from the Wordpress Duplicator plugin. Note: While this is claimed as "fixed" by the plugin authors in later versions as the plugin tries to delete these files after the next login, a vulnerable state can still happen if the files are not successfully deleted after a migration.
- Synacktiv: Remote code execution vulnerability in WordPress Duplicator
- Anonleaks: KennotFM / Details zu Hack und Defacement
Finds Windows Explorer desktop.ini metadata files. These sometimes leak information about possibly installed software on a developer machine or file names. Impact is usually low, but it is very common.
Checks if name servers answer to AXFR zone transfer requests. These are usually never intended to be publicly accessible.
- Internetwache: Scanning Alexa's Top 1M for AXFR
- US-CERT: DNS Zone Transfer AXFR Requests May Leak Domain Information
- D. J. Bernstein: How the AXFR protocol works
Check for Monit web interface with default username and password.
Check for open Elasticsearch instances with admin:admin (default password from Open Distro for Elasticsearch).
These tests are enabled with the "-i" parameter. They output information about a site that may be valuable for analysis, but does not directly indicate a security problem.
Checks for the presence of the Drupal CMS and outputs the version.
Check for the presence of Wordpress and output version.
Check for mailman and output version.
Checks for the presence of a Django assets manifest file staticfiles.json
.
Check for composer.json/composer.lock files. Can be checked with the Symfony security check afterwards.
Check for the presence of a phpinfo() script.