Backup File Exposure occurs when web applications store backup files (e.g., .bak, .old, .zip, .tar, .sql) in locations accessible via the web server. Attackers can discover and download these files to retrieve sensitive information such as source code, database dumps, configuration files, or credentials. Backup files are often overlooked during deployment, misconfigured web servers, or incomplete access control policies, making them a low-effort but high-impact target.

Common patterns leading to exposure:

• Leaving backup copies of source code, database dumps, or configuration files in publicly accessible directories.
• Storing backup files with predictable filenames (index.php.bak, config.php~) on web-accessible paths.
• Automatically generated backups by IDEs, editors, or CMS platforms that are not excluded from web access.
• Lack of directory-level restrictions or access controls on backup locations.

Impacts:

• Information Disclosure: Source code, credentials, API keys, and sensitive business logic may be exposed.
• Facilitates Other Attacks: Access to source code may help attackers find additional vulnerabilities (SQLi, XSS, RCE, etc.).
• Regulatory Non-Compliance: Leaking personal or financial data stored in backups may violate data protection laws.

Detection indicators:

• Automated scans for common backup filenames and extensions.
• Directory listings exposing backup files.
• HTTP responses revealing files with .bak, .old, .sql, .zip, .tar, or editor-specific extensions.

1. Store Backups Outside Web Root
   Place all backup files in directories that are not accessible via HTTP requests.

2. Restrict Access via Permissions
   Use proper filesystem permissions to limit who can read backup files. Only trusted administrators should have access.

3. Remove Unnecessary Backups
   Do not leave temporary or old backup files on production servers. Implement secure backup rotation and deletion policies.

4. Use Strong Filenames / Non-Predictable Paths
   Avoid predictable backup file names. If public access is required (rare), consider randomized or hashed paths combined with authentication.

5. Disable Directory Listings
   Ensure web servers do not allow directory listing to prevent accidental exposure of backup files.

6. Encrypt Sensitive Backups
   For offline or cloud storage, encrypt backups to prevent compromise in case of accidental exposure.

7. Security Testing
   Include backup file enumeration tests during security assessments and penetration testing.

• Predictable Resource Location
• Old, Backup and Unreferenced Files for Sensitive Information