Information Disclosure: Exposed settings.php¶

Identifier: exposed_settings_php

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Developers often leave backup copies of settings files behind, which is risky because these files usually contain sensitive data like database credentials and secret keys. If an attacker gets hold of one of these backups, they can use that information to break into your systems, steal data, or cause other harm. The vulnerability comes from storing these backups in accessible locations and not cleaning them up during deployment. It's important to be mindful of what files are publicly available and to double-check that no leftover sensitive backups are sitting around.

References:

https://www.infosecmatter.com/bug-bounty-tips-8-oct-14/#4-graphql-notes-for-beginners

Configuration¶

Example¶

Example configuration:

---
security_tests:
  exposed_settings_php:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.