1

I am using an NGINX server to host a static website exposed to the open internet. While glancing through the access logs I came across a cluster of requests for resources ending with .env, e.g:

"GET /bedesk1.1/.env HTTP/1.1"
"GET /test/bedesk1.1/.env HTTP/1.1"
"GET /.env HTTP/1.1"
"GET /.env.local HTTP/1.1"
"GET /database/.env HTTP/1.1"
"GET /public/.env HTTP/1.1"
"GET /admin/.env HTTP/1.1"
"GET /api/.env HTTP/1.1"
"GET /API/.env HTTP/1.1"
"GET /blog/.env HTTP/1.1"
"GET /.env.backup HTTP/1.1"
"GET /.env.save HTTP/1.1"
"GET /app/.env HTTP/1.1"
"GET /dev/.env HTTP/1.1"
"GET /env/.env HTTP/1.1"
"GET /core/.env HTTP/1.1"

I assume this is a scripted web-crawler looking for .env files in commonly used resource paths.

  • Does anybody have any ideas what they were looking for?
  • What would they hope to do with that information if they had found it?
  • Under what circumstances would those resources actually exist and be accessible from the web?
Rexx Robertson
  • 13
  • A question without an actual problem to solve is not really on topic here. This question looks like it would be better suited for [security.se]. – Gerald Schneider Sep 25 '23 at 12:42
  • Some hints for Q1 and Q1: Credentials to backends (e.g. databases); Q3: stupidity of whoever set that up. – Gerald Schneider Sep 25 '23 at 12:43
  • Thanks @GeraldSchneider. None of those paths exist in this instance (all returned 404 to the crawler). Not putting backend credentials in publicly accessible files seems like it should be common sense... although if it happens often enough that there is web-crawler for it then perhaps as they say common sense is not that common. – Rexx Robertson Sep 25 '23 at 19:41
  • 1
    Fairly typical is a web server configuration that *blocks access to all hidden files* (file and directory names whose path starts with a leading . dot) because they usually don't have content that should be publicly accessible. Their presence is often a result of sloppy housekeeping. Other than .env for example also a .git directory and other well-known files might be a treasure trove for an adversary. Notable exceptions do exist , such as the public by-design .well-known directory - see for example https://serverfault.com/q/755662/37681 – HBruijn Oct 02 '23 at 10:24

1 Answers1

2

They were looking for .env files, commonly holding environment variables used in e.g. docker deployments. Such files typically contain credentials for databases and so forth, and would thus be of large interest to any attacker.

Such files should normally NOT be accessible from the web, but misconfigurations happen all the time...

HBruijn
  • 80,330
  • 24
  • 138
  • 209
vidarlo
  • 9,165