FixVibe

// 探索 / 聚焦

Exposed Files & Backup Directories

.env, .git, .DS_Store, backup.sql — files that should never be public, accidentally are.

概要

Forgotten files outlive the deploy that created them. Someone wrote a quick `backup.sql` before a risky migration in 2022, dropped it in `/public` because that was the easiest path at 11pm, never came back to clean it up. Two years later it's still there, and the database it dumped is now a different database with different secrets in different schemas — but every one of those secrets is still real. The bug is operational rather than architectural: nobody designed `backup.sql` into the deployment, but nobody removed it either, and the static-file server happily serves anything in its directory. There are public scrapers continuously checking the obvious paths against every domain on the internet, looking for exactly this.

運作方式

FixVibe probes a curated list of ~35 high-signal paths against the public web root. The list mixes a few categories: dotfile leaks (`.env`, `.env.local`, `.env.production`, `.git/config`, `.git/HEAD`, `.svn/entries`, `.DS_Store`), backup artifacts (`backup.sql`, `dump.sql`, `db.sql.gz`, `database.bak`), editor temporary files (`.swp`, `~` suffix variants), config files (`config.php.bak`, `web.config.old`, `wp-config.php.bak`), and CI/CD artifacts (`.docker/config.json`, `.npmrc`, `composer.lock` in unexpected places). Each path gets a GET request; we examine response status, content-type, length, and a content-shape signature. A 200 with text matching the expected format is a finding. A 403 or 401 might mean WAF noise, so we also check against a 'baseline' fake-suspicious path to rule out blanket-403 WAFs.

變種

Exposed .env

Every secret in plain text. Database URLs, API keys, JWT signing secrets, Stripe keys, OAuth client secrets. Most damaging single file leak.

Exposed .git directory

Full repo history reachable. With dvcs-pillage or git-dumper, attacker reconstructs every commit including ones that briefly contained leaked credentials before being 'removed.'

Backup files

`backup.sql`, `db_dump.sql`, `users.csv`. Direct customer data exposure. Usually one curl command from total compromise.

Editor swap files

Vim's `.swp`, Emacs's `#file#`, Mac's `.DS_Store`. Reveal directory contents, sometimes session state.

影響范圍

Exposed `.env` is the worst case — every secret your app needs to run, in plain text, indexed by Shodan within hours. `.git/config` plus a tool like dvcs-pillage rebuilds your repo locally; old commits often contain credentials that were 'removed' but not rotated. Backup files are direct customer-data leaks. `.DS_Store` is mostly recon (file listing) but occasionally exposes paths that should be private. Each finding is potentially the breach.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Don't deploy dotfiles or backup files to public directories. Your CI pipeline should refuse to ship them — add a build step that fails when `find ./public -name '.*'` or `find ./public -name '*.sql'` returns matches. Configure your web server to block dotfile access at the edge: nginx `location ~ /\. { deny all; }`, Apache `<FilesMatch '^\.'>`, Vercel's `excludeFiles` config. For static-site frameworks, audit the build output directory after deploy. Don't commit `.env` files to git; if one slipped in, rotate every secret and remove via `git filter-repo`. Add a `.gitignore` rule for `*.sql`, `*.bak`, `*.swp`, `.DS_Store` from project init. As a final layer, configure your CDN or web server to return 404 (not 403) for these paths — denying existence is preferable to confirming it.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

探索
142
本類别中触發的测試
模塊
23
專属 探索 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Exposed Files & Backup Directories — 漏洞聚焦 | FixVibe · FixVibe