Category

Vulnerability Scanning

Inputs

urls
file
required
List of urls
header
string
Header(s) to include in HTTP requests
rate-limit
string
Maximum number of requests to send per second per machine
header-file
file
Header(s) to include in HTTP requests

Outputs

findings

Scan for Exposed Backups

Description

Scan for exposed backup files that may leak sensitive information, including source code, database backups, and application logs.

Features

  • Generates custom wordlists dynamically based on the hostname.
  • Runs heuristic analysis on brute force results to minimize false positives.
  • Can scan thousands of web servers simultaneously.

Inputs

Required

  • urls: a list of URLs
https://foo.example.com

https://bar.example.com

Optional

  • header: Header(s) to include in HTTP requests
  • header-file: File with header(s) to include in HTTP requests
  • rate-limit: Maximum number of requests to send per second per machine (default: 300)

Outputs

  • findings: JSONLines records of finding details.
{"finding": "Exposed Backup File", "location": "https://foo.example.com/foo.zip", "severity": "unknown", "hostname": "foo.example.com", "domain_name": "example.com", "method": "GET", "description": "A backup file with a size of 123.4MB was detected, which may expose source code, configuration files, or other sensitive information"}

{"finding": "Exposed Backup File", "location": "https://bar.example.com/www.sql.tar.gz", "severity": "unknown", "hostname": "bar.example.com", "domain_name": "example.com", "method": "GET", "description": "A backup file with a size of 567.8MB was detected, which may expose source code, configuration files, or other sensitive information"}

Changelog

  • v1.0.0
    • Initial release
  • v1.0.1
    • Fixed a bug that caused false positives where some text/plain responses were incorrectly identified as exposed backups.
  • v1.1.0
    • Added header-file input
  • v1.2.0
    • Added recursive scanning to detect vulnerabilities at every level of the input URL paths