paint-brush
Scanning 2.6 Million Domains for Exposed .Env Filesby@sdcat
8,810 reads
8,810 reads

Scanning 2.6 Million Domains for Exposed .Env Files

by sdcatNovember 10th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

A software developer scanned 2.6 million domains for exposed.env files. He found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal) 98 secret tokens for different APIs and 128 app secrets. The dangerous aspect is that the passwords and secrets are in unencrypted form in the.env file. When the web server is misconfigured and this.env file is delivered by the web. server, anyone can. query this data.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Scanning 2.6 Million Domains for Exposed .Env Files
sdcat HackerNoon profile picture

After my first scan for exposed .git directories, I did another scan for exposed .env files. During this scan I found more than 200 exposed .env files. Besides harmless configuration settings I found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal), 98 secret tokens for different APIs and 128 app secrets (secrets to securely generate session ids, CSRF-tokens and JWT-tokens) and a few hard coded admin credentials.

TL;DR: Watch out for mistakes in the deployment process. Never expose your hidden .env file to the public.

Why I did this?

I am SDCat a software developer with a curious mind which loves to look everywhere under the hood. After my scan for exposed .git directories I decided to go deeper into this rabbit hole. And decided I will check for exposed .env files.

In this post I describe, what a .env file is, how I scanned the domains and some stats about what was found in these files. The analysis of this data sometimes revealed many credentials for different services and accounts.

.env file

Every software requires some configuration and has various settings. In the case of user software, such as a mail client, these settings, like email address, username and password, are requested from the user the first time the software is started. For software that runs on a server and is often installed automatically, user interaction is not possible. For some software frameworks, these settings can be specified via environment variables and configured in a file with the name .env. The .env files are hidden files, so you do not see these files by default.

Example of an .env file:

ENV="PRODUCTION"
LOG_LEVEL="INFO"
SMTP_HOST="email.example.com"
SMTP_PORT= 25
SMTP_USER="[email protected]"
SMTP_PASS="SuperSecurePassword2022"
SMTP_TLS=1
SMTP_CONNECTION_TIMEOUT_SECONDS=2
DB_HOST="dbserver.example.com"
DB_DATABASE_NAME="important_database"
DB_USER="my-app-db-user"
DB_PASSWORD="2022SuperVerySecurePassword"
PAYMENT_GATEWAY="payment.example.com"
PAYMENT_SECRET= "super-secure-payment-api-secret"

Note: We recommend more secure passwords than the ones mentioned in the examples above.

Why are exposed .env files interesting/dangerous?

Since almost every web application accesses a database or uses some APIs to communicate with, these credentials must be passed to the application. If this is done using the .env file, the credentials are in plain text in this file. When the web server is misconfigured and this .env file is delivered by the web server, anyone can query this data. To do this, one can visit just a URL with a browser, such as: https://example.com/.env.

The dangerous aspect is that the passwords and secrets are in unencrypted form in the .env file.

How did I scan 2.6 million domains for exposed .env files

Getting the domains

I chose a country which allows for DNS zone transfer to obtain all the domains of this country. It will take some time to download the complete zone file. With a simple python script, I extracted the NS records and from these records the domain names.

Scanning process

With another python script I read the domains and send a request to http://<domain>/.env. I also checked http://www.<domain>/.env, https://<domain>/.env and https://www.<domain>/.env.

It is important to ignore the SSL certificate check. I learned that many files were found over https but with an invalid certificate. By ignoring the invalid SSL certificates these directories can be accessed anyway.

Stats

I scanned 2.6 million domains and found:

  • 201 .env files
  • 135 databank usernames with passwords
  • 48 email account credentials
  • 11 accesses to payment providers (like Stripe or Paypal)
  • 98 API key for different APIs (e.g. credit check API)
  • 128 app secrets

These are the results of only the main domains. Imagine what would happen if we scan all the subdomains. I have no doubt you’d find a lot more there.

How to check if your domain is affected?

You can scan your domains and subdomains with a nuclei template or you can use a service like scan.nan.io to check your domains and subdomains automatically for exposed sensitive files.

Take away: Check your server and deployment to not expose the hidden .env file.

Also published here.