10,259 reads
10,259 reads

Scanning 2.6 Million Domains for Exposed .Env Files

by sdcatNovember 10th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow
en-flagENes-flagEShi-flagHIzh-flagZHvi-flagVIfr-flagFRpt-flagPTja-flagJA
EN

Too Long; Didn't Read

A software developer scanned 2.6 million domains for exposed.env files. He found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal) 98 secret tokens for different APIs and 128 app secrets. The dangerous aspect is that the passwords and secrets are in unencrypted form in the.env file. When the web server is misconfigured and this.env file is delivered by the web. server, anyone can. query this data.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Scanning 2.6 Million Domains for Exposed .Env Files
sdcat HackerNoon profile picture

After my first scan for exposed .git directories, I did another scan for exposed .env files. During this scan I found more than 200 exposed .env files. Besides harmless configuration settings I found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal), 98 secret tokens for different APIs and 128 app secrets (secrets to securely generate session ids, CSRF-tokens and JWT-tokens) and a few hard coded admin credentials.

TL;DR: Watch out for mistakes in the deployment process. Never expose your hidden .env file to the public.

Why I did this?

I am SDCat a software developer with a curious mind which loves to look everywhere under the hood. After my scan for exposed .git directories I decided to go deeper into this rabbit hole. And decided I will check for exposed .env files.

In this post I describe, what a .env file is, how I scanned the domains and some stats about what was found in these files. The analysis of this data sometimes revealed many credentials for different services and accounts.

.env file

Every software requires some configuration and has various settings. In the case of user software, such as a mail client, these settings, like email address, username and password, are requested from the user the first time the software is started. For software that runs on a server and is often installed automatically, user interaction is not possible. For some software frameworks, these settings can be specified via environment variables and configured in a file with the name .env. The .env files are hidden files, so you do not see these files by default.

Example of an .env file:

ENV="PRODUCTION"
LOG_LEVEL="INFO"
SMTP_HOST="email.example.com"
SMTP_PORT= 25
SMTP_USER="[email protected]"
SMTP_PASS="SuperSecurePassword2022"
SMTP_TLS=1
SMTP_CONNECTION_TIMEOUT_SECONDS=2
DB_HOST="dbserver.example.com"
DB_DATABASE_NAME="important_database"
DB_USER="my-app-db-user"
DB_PASSWORD="2022SuperVerySecurePassword"
PAYMENT_GATEWAY="payment.example.com"
PAYMENT_SECRET= "super-secure-payment-api-secret"

Note: We recommend more secure passwords than the ones mentioned in the examples above.

Why are exposed .env files interesting/dangerous?

Since almost every web application accesses a database or uses some APIs to communicate with, these credentials must be passed to the application. If this is done using the .env file, the credentials are in plain text in this file. When the web server is misconfigured and this .env file is delivered by the web server, anyone can query this data. To do this, one can visit just a URL with a browser, such as: https://example.com/.env.

The dangerous aspect is that the passwords and secrets are in unencrypted form in the .env file.

How did I scan 2.6 million domains for exposed .env files

Getting the domains

I chose a country which allows for DNS zone transfer to obtain all the domains of this country. It will take some time to download the complete zone file. With a simple python script, I extracted the NS records and from these records the domain names.

Scanning process

With another python script I read the domains and send a request to http://<domain>/.env. I also checked http://www.<domain>/.env, https://<domain>/.env and https://www.<domain>/.env.

It is important to ignore the SSL certificate check. I learned that many files were found over https but with an invalid certificate. By ignoring the invalid SSL certificates these directories can be accessed anyway.

Stats

I scanned 2.6 million domains and found:

  • 201 .env files
  • 135 databank usernames with passwords
  • 48 email account credentials
  • 11 accesses to payment providers (like Stripe or Paypal)
  • 98 API key for different APIs (e.g. credit check API)
  • 128 app secrets

These are the results of only the main domains. Imagine what would happen if we scan all the subdomains. I have no doubt you’d find a lot more there.

How to check if your domain is affected?

You can scan your domains and subdomains with a nuclei template or you can use a service like scan.nan.io to check your domains and subdomains automatically for exposed sensitive files.

Take away: Check your server and deployment to not expose the hidden .env file.

Also published here.

HackerNoon Services
L O A D I N G
. . . comments & more!

About Author

sdcat HackerNoon profile picture
sdcat@sdcat
Software developing cat
Read my storiesAbout @sdcat

TOPICS

purcat-imgprogramming#environment-variables#devops#software-development#cyber-security#database#cybersecurity#debugging#hackernoon-top-story

THIS ARTICLE WAS FEATURED IN...

Arweave
Read on Terminal Reader Terminal
Read this story w/o Javascript Lite
Technoblender
Maciekpalmowski
Allinfosecnews
Joyk
Learnrepo
Writingcontests
Coffee-web
Devcript
Devcript
Coffee-web
Hashnode
Learnrepo
Acunetix
Ujjina
Cybertechbiz
Cybermind
Coffee-web
Csoonline
Com
Learnrepo
Csoonline
Github

RELATED STORIES

Article Thumbnail
2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()
by sdcat
Dec 02, 2022
#php
Article Thumbnail
108 Stories To Learn About Cybersecurity Tips
by learn
Nov 07, 2023
#cybersecurity-tips
Article Thumbnail
10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft
by thekonst
Sep 23, 2021
#cybersecurity
Article Thumbnail
10 Tips For Securing Zoom Meetings
by cagatayozata
May 04, 2020
#cyber-security
Article Thumbnail
10 Things I Did To Increase CloudTrail Logs Security
by mantux
Jun 01, 2021
#aws-cloudtrail
Join HackerNoonloading
Latest technology trends. Customized Experience. Curated Stories. Publish Your Ideas

Categories

Trending Topics

blockchaincryptocurrencyhackernoon-top-storyprogrammingsoftware-developmenttechnologystartuphackernoon-booksBitcoinbooks