DefenseCode

Backup File

Risk type:LOW

Description:

Backup copies of files are sometimes left on the web server by administrators or developers. These file can contain script sources, configuration files or other sensitive information which could allow an attacker to compromise the system.

Mitigation:

  • Use strong authentication of backup server and backup clients.
  • Use encryption on a backup server for securing data on backup media.
  • Use new encryption algorithms.
  • Keep backup server and web server on different (virtual) machines.
  • Do not edit files in-place on the web server/application server file systems. It is likely that editors will generate backup files without your knowledge.

Further reading:

https://www.owasp.org/index.php/Testing_for_Old,_Backup_and_Unreferenced_Files_(OWASP-CM-006)