Backup Folder

  • PCI 3.2-6.5.8
  • OWASP 2013-A7
  • CWE 538

Old, backup and unreferenced files present various threats to the security of a web application. They may;

  • disclose sensitive information that can facilitate a focused attack against the application; for example include files containing database credentials, configuration files containing references to other hidden content, absolute file paths, etc.
  • disclose unreferenced pages containing powerful functionality that can be used to attack the application; for example an administration page that is not linked from published content but can be accessed by any user who knows where to find it.
  • contain vulnerabilities that have been fixed in more recent versions; for example viewdoc.old.jsp may contain a directory traversal vulnerability that has been fixed in viewdoc.jsp but can still be exploited by anyone who finds the old version.
  • disclose the source code for pages designed to execute on the server.

Do not store backup files on production servers.

Go Back to List

Search Vulnerability

You may also see