Following my scan for exposed .git directories, I conducted a large-scale scan of 2.6 million domains to uncover exposed .env files, revealing critical security vulnerabilities. This scan identified 201 exposed .env files containing sensitive data, including 135 database credentials, 48 email account credentials, 11 payment provider keys (e.g., Stripe, PayPal), 98 API tokens, 128 app secrets for session IDs, CSRF tokens, and JWTs, and several hardcoded admin credentials.
TL;DR: Exposed .env files are a security risk. Ensure proper server configuration to keep these hidden files inaccessible.
Why I Conducted This Scan
As SDCat, a curious software developer, I’m driven to explore system vulnerabilities. After my .git directory scan, I turned my attention to .env files, which often store sensitive configuration data. This post explains what .env files are, how I scanned for them, and the alarming findings from this process.
What Is a .env File?
A .env file is a hidden configuration file used by server-based software to store settings like database credentials, API keys, and other sensitive data. Unlike user-facing apps that prompt for settings, server applications rely on these files for automated configuration, often via environment variables.
Example .env File:
ENV="PRODUCTION"
LOG_LEVEL="INFO"
SMTP_HOST="email.example.com"
SMTP_PORT=25
SMTP_USER="info@example.com"
SMTP_PASS="SuperSecurePassword2025"
SMTP_TLS=1
DB_HOST="dbserver.example.com"
DB_DATABASE_NAME="important_database"
DB_USER="my-app-db-user"
DB_PASSWORD="2025SuperVerySecurePassword"
PAYMENT_GATEWAY="payment.example.com"
PAYMENT_SECRET="super-secure-payment-api-secret"Why Are Exposed .env Files Dangerous?
.env files often contain unencrypted credentials for databases, APIs, and payment systems. If a web server is misconfigured, these files can be accessed via a simple URL (e.g., https://example.com/.env), exposing sensitive data to anyone. This vulnerability can lead to unauthorized access, data breaches, or financial loss.
Read More: How to Tell If an Item of Clothing Was Made Specifically for a Factory Outlet
How I Scanned 2.6 Million Domains
Acquiring Domains
I targeted a country allowing DNS zone transfers, downloading its complete zone file. Using a Python script, I extracted NS records to compile a list of domain names.
Scanning Process
A custom Python script sent HTTP/HTTPS requests to http:///.env, http://www./.env, https:///.env, and https://www./.env. To maximize findings, I bypassed SSL certificate validation, as many exposed files were hosted on sites with invalid certificates.
Findings
- From 2.6 million domains scanned, I found:
- 201 exposed .env files
- 135 database usernames and passwords
- 48 email account credentials
- 11 payment provider credentials (e.g., Stripe, PayPal)
- 98 API keys (e.g., for credit check APIs)
- 128 app secrets (for session IDs, CSRF tokens, JWTs)
These results cover only main domains. Scanning subdomains would likely reveal even more vulnerabilities.
How to Check If Your Domain Is Affected
- To verify if your domains or subdomains expose .env files:
- Use a Nuclei template to scan for sensitive files.
- Employ services like scan.nan.io for automated checks.
Key Takeaway
Exposed .env files pose a significant security threat. Always verify your server and deployment configurations to ensure hidden files like .env remain inaccessible to the public.
