A security tool for discovering sensitive files on websites. Scans for multiple categories of sensitive files with customizable output formats.
- 🔍 Multiple scan categories:
- Shell/backdoor files
- Environment files
- Git repository files
- Other sensitive files
- 📊 Flexible output formats (JSON, CSV)
- 📁 Output file support
- 🎯 Category-based result tracking
- 🛡️ Soft-404 / false-positive filtering
Many sites (SPAs, catch-all routers, custom error pages) return 200 OK for
any path, including files that don't exist — e.g. https://site/js/.env
returns the SPA index page with status 200. Without protection every probed
path looks like a "hit".
Before scanning, the tool probes several paths that should never exist and
records the signature (body size + Content-Type) of any 200 response. When
a real target file is found, its body is fetched and compared to those
baselines. If it matches (same content-type and body size within ~2%), it is
discarded as a false positive instead of being reported.
Baseline signatures are printed at the start of a scan when a soft-404 site is detected.
git clone https://github.com/begininvoke/SensitiveFileFuzzer.git
cd SensitiveFileFuzzer
go buildBasic scan:
./SensitiveFileFuzzer -url https://example.com --shellComprehensive scan with JSON output:
./SensitiveFileFuzzer -url https://example.com --all -f json -o ./resultsUsage of ./SensitiveFileFuzzer:
-url string
Target URL (e.g., https://example.com)
-all
Try all file lists
-env
Try environment file lists
-git
Try git-related file lists
-sens
Try sensitive file lists
-shell
Try shell/backdoor file lists
-f string
Output format: json or csv
-o string
Output directory path
-v
Show only successful results
-rate int
Rate limit: requests per second (0 = no limit)
-timeout int
Per-request timeout in seconds (default 20)
-maxtimeouts int
Abort the scan after this many consecutive timeouts (default 3)
-config string
Custom config JSON file pathEach request is bounded by -timeout seconds (default 20). Consecutive
timeouts are counted: after -maxtimeouts in a row (default 3) the scan is
aborted, since the host has likely gone down or started dropping requests. Any
successful response resets the counter to 0, so isolated slow requests don't
stop a healthy scan.
./SensitiveFileFuzzer -url https://example.com --all -timeout 5 -maxtimeouts 3{
"total_count": 4,
"categories": {
"Git": [
"https://example.com/.git/config",
"https://example.com/.gitignore"
],
"Environment": [
"https://example.com/.env",
"https://example.com/.env.local"
]
},
"summary": {
"Git": 2,
"Environment": 2
}
}Category,URL
Git,https://example.com/.git/config
Git,https://example.com/.gitignore
Environment,https://example.com/.env
Environment,https://example.com/.env.local🎯 Found 4 sensitive files:
📁 Git (2 files):
└─ https://example.com/.git/config
└─ https://example.com/.gitignore
📁 Environment (2 files):
└─ https://example.com/.env
└─ https://example.com/.env.local
Customize detection rules using a JSON configuration file:
{
"path": "/test.txt",
"content": "#application/json#text/html",
"length": "*"
}"*": Accept any Content-Type"#application/json#text/html": Exclude specific Content-Types"application/json": Match exact Content-Type
"length": "10": Match responses with Content-Length >= 10"length": "*": Accept any Content-Length
Pull requests are welcome. For major changes, please open an issue first.