Home / Web Security / Sensitive Backup Files
High Severity

🟠 Sensitive Backup Files Exposure

CWECWE-552: Files or Directories Accessible to External Parties
OWASPA01:2021 Broken Access Control

🧠 Description

Backup files, old versions, or temporary files (e.g., .bak, .swp, .old, .gz) are exposed on the web server. These files often contain sensitive information like source code, credentials, or configuration.

Impact: Source Code Disclosure, Credentials Theft, Configuration Exposure

🔍 Detection

Common backup file extensions to test:

/index.html.bak
/config.php.old
/database.sql.bak
/index.php.swp
/config.yaml~
/backup.tar.gz
/.git/config
/database.sqlite

🛡️ Mitigation

✅ Remove backup files from web root

✅ Use .htaccess to block backup file access

✅ Configure web server to deny .bak, .old, .gz files

✅ Implement proper file deployment process
Back to Web Security