loading
loading
Misconfiguration
Find files on web servers that should not be public and can pose a security risk.
overview
snallygaster requests a curated list of candidate paths against a web server and inspects each response to find files that were never meant to be public. It checks for exposed git and svn repositories, backup files and database dumps that may hold passwords, stray .env and .DS_Store files, leaked private keys, and a set of other misconfigurations, confirming a real hit rather than guessing from a status code.
The tool is selective about what it reports. By default it focuses on real security issues, with separate flags to enable informational tests or noisy checks that flag boring bugs. You can scope it to a base path, skip the www variant, restrict to a named set of tests, and choose whether to scan HTTP, HTTPS, or both, which keeps a run targeted across a large estate.
On Trickest, snallygaster is a Misconfiguration node that takes one or more hostnames and writes a file and a folder of results. Run it across a probed host list to catch exposed repositories and backups before an attacker does, then route findings into triage and remediation.
use cases
Scan a host list for publicly reachable .git and .svn directories that leak source code, history, and hardcoded secrets, a common and high-impact misconfiguration.
Look for backup files, database dumps, and stray .env files left in the web root that may contain credentials or sensitive data.
Restrict to a base path, a named test set, and a single protocol so a scan across a large estate stays fast and focused on what matters.
Run snallygaster after probing so each confirmed live host is checked for exposed files before scanning moves on.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| hosts | STRING | · | Hostname to scan. |
| path | STRING | --path | Base path on the server (scans the root directory by default). |
| tests | STRING | --tests | Comma-separated list of tests to run. |
| info | BOOLEAN | --info | Enable all info tests (no bugs or security vulnerabilities). |
| nowww | BOOLEAN | --nowww | Skip scanning the www.[host] variant. |
| nohttp | BOOLEAN | --nohttp | Do not scan over HTTP. |
| nohttps | BOOLEAN | --nohttps | Do not scan over HTTPS. |
| useragent | STRING | --useragent | User agent to send in the request header. |
Showing key inputs. snallygaster exposes 10 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| info | BOOLEAN | --info | Enable all info tests (no bugs or security vulnerabilities). |
| path | STRING | --path | Base path on the server (scans the root directory by default). |
| debug | BOOLEAN | --debug | Show detailed debugging info. |
| hosts | STRING | · | Hostname to scan (positional argument). |
| noisy | BOOLEAN | --noisy | Show noisy messages that indicate boring bugs, but no security issue. |
| nowww | BOOLEAN | --nowww | Skip scanning the www.[host] variant. |
| tests | STRING | --tests | Comma-separated list of tests to run. |
| nohttp | BOOLEAN | --nohttp | Do not scan over HTTP. |
| nohttps | BOOLEAN | --nohttps | Do not scan over HTTPS. |
| useragent | STRING | --useragent | User agent to send in the request header. |
example
# scan two hosts over HTTPS only, focused on exposed repos and dumpssnallygaster --nohttp --tests git_dir,svn_dir,sql_dump,backupfiles example.com staging.example.com[git_dir] http://example.com/.git/config[git_dir] http://example.com/.git/HEAD[dotenv] https://example.com/.env[sql_dump] https://example.com/backup/dump.sql[backupfiles] http://example.com/index.php.bak[ds_store] https://example.com/.DS_Store[apache_server_status] http://example.com/server-status[privatekey] https://example.com/server.keyguidance
Use snallygaster to find exposed files and misconfigurations on web servers across an estate. It works on any server. For IIS-specific short-name leakage use shortscan, and for request smuggling use smuggler. Run all three against a probed host list.
IIS 8.3 short-name leakage specifically. snallygaster covers broader, server-agnostic file exposure.
Tests for request smuggling rather than exposed files. A different misconfiguration class.
Finds hijackable broken social links by crawling. Another exposure check on the same surface.
faq
related
A fast tool to scan for CRLF vulnerabilities, written in Go.
Leak git repositories from misconfigured sites and rebuild their contents.
A host header injection vulnerability checker for batches of URLs.
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
A host list feeds snallygaster, which probes each server for exposed files and writes the confirmed misconfigurations as a queryable output.
Facts on this page come from the live Trickest tool library.