Vulnerability Assessment is the process of evaluating the efficiency of the security controls of a system by measuring its security level. The scope of the process is to uncover all potential vulnerabilities through automated or human driven security tests.
The below listed files are not directly linked to the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps and administrative consoles. Each one of these files could help an attacker to learn more about his target like OS name, platform version, framework, outdated components etc.
The severity of these can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker.
Information disclosure issues in web application can be further used by attackers to gain insightful knowledge about the possible weaknesses of a web application, thus allowing them to craft a malicious hack attack. They allow the hackers or spammers to gain insightful and confidential information about the target such as DB information, OS name etc they want to attack just by performing basic testing, and sometimes just by looking for information in public pages or error pages.
There are so many automated tools are also available who can helps you to detect the possible sensitive files like Acunetix, Netsparker, Qualys, Burp Suite etc.
The only remediation is to restrict access to these files/directories or remove them from the website so that no personal information would be leaked. With respect to configuration files, make sure that the permissions for the configuration files on your website are set up with security in mind i.e. 400 or 444.
| S.No. | File Name | Description |
|---|---|---|
| 1 | /.env | Environment configuration File (Laravel) |
| 2 | /|~.aspx | Improper Error Handling (ASP.NET) |
| 3 | /… | Improper Error Handling (ASP.NET) |
| 4 | /trace.axd | ASP.NET Tracing Enabled |
| 5 | /phpinfo.php | PHP Configuration File |
| 6 | /php.ini | PHP Configuration File |
| 7 | /wp-includes | Directory Listing (WordPress) |
| 8 | /error.log, /error.txt. /error_log, /errorlog, /error.jsp, /logs, /logs.php | Error Log Files |
| 9 | /htaccess.txt, /.htaccess | Apache Htaccess Files |
| 10 | /etc/passwd, /tmp, /var | Linux Directory Files |
| 11 | /admin, /administrator, /wp-admin, /admin/login.php, /admin.aspx, /adminlogin.aspx | Possible Administrator Login Pages |
| 12 | /readme.html, /readme.txt, /README.MD, /license.txt, /manual |
Documentation Files |
| 13 | /config.php, /configuration.php, /conn.php, /sites/default/settings.php, /app/etc/local.xml, /inc.config.php, /admin/config.php, /wp-config.php | DB Configuration Files |
| 14 | /robots.txt | Robots File (Pre Attack Probe) |
| 15 | /.gitignore | Possible Sensitive File (Github) |
| 16 | /wp-includes/rss-functions.php, /wp-includes/user.php, /wp-includes/vars.php | Fatal Error Check (WordPress) |
| 17 | /adminer.php, /phpminiadmin.php, /phpmyadmin, /db.php, /sql.php | Possible DB login Files |
| 18 | /examples | Apache Tomcat Examples Directory |
| 19 | /backup, /backup.zip, /download.zip, /backup.tar.gz, |
Backup Files |
| 20 | /.bashrc, /.zshrc, /.cshrc | Shell Configuration Files |
| 21 | /pass.txt, /password.txt, /passwords.txt, /password |
Password Related Sensitive Files |
If you want to add more information related to possible sensitive files, then you can drop a mail at hymeblogs@gmail.com.
You may also like:- Introducing ChatGPT Search – Your New Gateway to Instant, Up-to-date Information
- Python Has Surpassed JavaScript as the No. 1 Language on GitHub
- [Solution] Missing logstash-plain.log File in Logstash
- Top 7 Essential Tips for a Successful Website
- Sample OSINT Questions for Investigations on Corporations and Individuals
- Top 10 Most Encryption Related Key Terms
- Top 10 Key Guidelines For Designing A Robust Web Application
- The Rise of Online Shopping – Convenience, Risks, and Safety Measures
- WiFi Suspended at Major UK Train Stations Following Cybersecurity Incident
- The Coolest GitHub Hack You Should Know
