loading
loading
Discovery
An automated tool that checks for backup artifacts that may disclose a web application's source code.
overview
bfac, the Backup File Artifacts Checker, looks for files a deploy left behind: editor backups, archive copies, and exposed version-control directories that should never have shipped. A single accessible index.php.bak or .git folder can hand an attacker the full source of an application, and with it hardcoded passwords, internal paths, and the rest of the directory structure.
Given a URL or a list of URLs, bfac generates candidate backup paths and verifies each one. It confirms availability by status code, by content length, or both, so it does not flag a soft-404 page as a real hit. Rate throttling, custom headers, cookies, and a DVCS-only mode let you tune a run to the target and to what you are hunting for.
Feed it the live endpoints from a crawler or prober, then route the confirmed artifacts into the same triage path as your other findings.
source github.com/mazen160/bfac
use cases
Check a host for editor and archive backups of live files so you catch a leaked index.php.bak before someone reads application source from it.
Run --dvcs-test to focus on exposed .git and similar folders, the artifacts that most often leak an entire codebase and its history.
Pass a crawler's endpoint list via --list and check every path for backup artifacts in one pass instead of probing each by hand.
Use --technique status_code, content_length, or all so soft-404 pages are not reported as real backups.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| single-url | STRING | -u | Check a single URL for backup artifacts. |
| url-list | FILE | --list | Check a list of URLs, the usual pipeline input. |
| level | STRING | -level | Choose how aggressively bfac generates candidate paths. |
| verification-technique | STRING | --technique | Confirm hits by status_code, content_length, or all (default all). |
| dvcs-tests-only | BOOLEAN | --dvcs-test | Limit the run to exposed DVCS artifacts such as .git. |
| request-rate | STRING | --request-rate-throttling | Requests per second to throttle a run (default 30). |
| exclude-status-code | STRING | -xsc | Status codes to exclude, comma-separated. |
| cookie | STRING | --cookie | HTTP cookie header value, for authenticated checks. |
Showing key inputs. bfac exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| host | STRING | --host | HTTP host header value |
| level | STRING | -level | Choose level |
| proxy | STRING | --proxy | Proxy authentication credentials (name:password). |
| cookie | STRING | --cookie | HTTP cookie header value |
| timeout | STRING | --timeout | HTTP request timeout in seconds (default:5) |
| url-list | FILE | --list | Check a list of URLs |
| proxy-file | FILE | --proxy-file | Use a proxy list file |
| single-url | STRING | -u | Check a single URL |
| user-agent | STRING | -ua | HTTP User-Agent header value |
| request-rate | STRING | --request-rate-throttling | Request rate throttling per second (default: 30) |
| results-only | BOOLEAN | --no-text | Show the results only |
| extra-headers | STRING | --headers | Extra headers (e.g. "Accept-Language: fr\nETag: 123") |
| dvcs-tests-only | BOOLEAN | --dvcs-test | Limit the test to exposed DVCS tests |
| user-agent-file | FILE | --user-agents-file | Use a User-Agents file |
| exclude-status-code | STRING | -xsc | Specify status codes to exclude, separated by commas |
| invalid-content-length | STRING | --invalid-content-length | Manually specify the invalid Content-Length, instead of performing this check automatically. |
| verification-technique | STRING | --technique | Technique to verify the availability of the file. (options: status_code, content_length, all) (default: all) |
| invalid-content-length-offset | STRING | --invalid-content-length-offset | Manually specify the Content-Length offset for invalid pages (default: 50). |
example
# check live URLs for backup and DVCS artifactsbfac --list urls.txt -level 4 --technique all --request-rate-throttling 20 --no-text[+] https://www.example.com/index.php.bak (200, content-length verified)[+] https://www.example.com/.git/HEAD (200)[+] https://api.example.com/app.tar.gz (200)[+] https://app.example.com/config.php~ (200)[+] https://staging.example.com/.svn/entries (200)[-] soft-404 candidates excluded via content_length[*] 5 artifacts confirmed across 40 URLsguidance
Reach for bfac when you have live URLs and want to know whether a deploy left backup or version-control files exposed. It checks known paths, it does not crawl, so feed it endpoints from katana or a prober. For broader secret hunting inside pages, pair it with a secret scanner.
Focuses on exposed .git repositories. bfac covers DVCS plus editor and archive backups.
Scans for a wider set of secret files on web servers. bfac is tighter on backup artifacts.
General content brute forcer. bfac ships backup-specific paths and verification logic out of the box.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
Crawl a list of domains and scan for endpoints, secrets, API keys, file extensions, tokens, and more.
A URL list is probed by httpx, then bfac checks each live path for backup and version-control artifacts and writes the confirmed hits as a queryable output.
Facts on this page come from the live Trickest tool library.