Backup File Disclosure

This detector identifies when the web server exposes backup copies of files that should not be publicly accessible. These files typically have extensions like .bak, .old, .tmp, or tilde suffixes appended to original filenames, and often contain source code, configuration data, or other sensitive information.

Exposed backup files leak sensitive information such as source code, database credentials, API keys, or business logic that attackers can exploit. Attackers discover backup files by appending common backup extensions to known URLs or through automated scanning. Source code disclosure reveals application logic, security mechanisms, and potential vulnerabilities. Configuration file backups may contain hardcoded credentials or internal network details. The vulnerability commonly results from in-place editing on production servers or failure to remove temporary files created by editors or deployment processes.

Never edit files directly on production web servers. Use proper deployment processes that copy only required files to the web root. Remove all backup files, temporary files, and hidden files from web-accessible directories before deployment. Configure web server rules to block access to common backup file patterns and extensions. Implement automated deployment processes that ensure only intended files are present in production. Regularly scan for and remove any extraneous files from web directories.