Snallygaster: The Single-File Security Scanner That Finds What Developers Leave Behind

Hook

A 2019 study found that 2.8% of all public web servers expose their .git directories, leaking complete source code and credentials. Snallygaster finds these exposures in seconds with zero configuration.

Context

Every security researcher has a war story about finding production credentials in exposed backup files. A misplaced .git directory here, a forgotten database.sql.bak there, maybe a .env file that survived a deploy script. These aren't sophisticated attacks requiring zero-days—they're the digital equivalent of leaving your house keys under the doormat.

Traditional vulnerability scanners like Nessus or OpenVAS are comprehensive but heavy, often requiring gigabytes of signature databases and lengthy scans. Penetration testers needed something lighter for initial reconnaissance: a tool that could answer the question "Did the developers accidentally leave sensitive files exposed?" in under a minute. Hanno Böck created Snallygaster in 2018 as that tool—a focused, single-file Python script that checks for the most common file exposure mistakes without the overhead of a full vulnerability scanner. The name comes from a dragon-like creature in Maryland folklore, symbolizing the hidden dangers lurking on web servers.

Technical Insight

Snallygaster's architecture is deliberately minimal: one Python file, roughly 2,000 lines, with only three external dependencies (urllib3, lxml, and dnspython). This design choice means you can audit the entire codebase in an afternoon and deploy it anywhere Python 3 runs. The tool operates by maintaining an internal list of dangerous file paths and patterns, then systematically probing each one via HTTP requests.

The core scanning logic follows a straightforward pattern-matching approach. For each target domain, Snallygaster iterates through its test catalog, makes HTTP requests to known vulnerable paths, and analyzes responses for indicators of exposure. Here's a simplified example of how it checks for exposed Git repositories:

def check_git_exposure(url):
    test_paths = [
        '/.git/HEAD',
        '/.git/config',
        '/.git/index'
    ]
    
    for path in test_paths:
        response = http.request('GET', url + path)
        
        if response.status == 200:
            content = response.data.decode('utf-8', errors='ignore')
            
            # Check for Git-specific markers
            if path.endswith('/HEAD') and 'ref:' in content:
                return {
                    'severity': 'HIGH',
                    'issue': 'Exposed Git repository',
                    'path': path,
                    'details': 'Git HEAD file accessible, full source may be downloadable'
                }
    
    return None

What makes Snallygaster effective isn't novel technology—it's comprehensive coverage of real-world mistakes. The TESTS.md file documents over 50 different checks, from obvious targets like .env and wp-config.php.bak to obscure ones like .code-workspace (VS Code workspace files that can leak project structure) or .pypirc (Python package repository credentials). Each test includes context about why the exposure matters and what an attacker could extract.

The tool also implements intelligent response analysis beyond simple status code checking. For backup files, it looks for content signatures like SQL dump headers, configuration file syntax, or serialized data structures. This reduces false positives from honeypots or servers that return 200 OK for everything:

# Example of content-based validation for database dumps
if response.status == 200:
    content_sample = response.data[:1024].decode('utf-8', errors='ignore')
    
    # Check for SQL dump signatures
    sql_indicators = [
        'CREATE TABLE',
        'INSERT INTO',
        'mysqldump',
        'PostgreSQL database dump',
        'SQLite format'
    ]
    
    if any(indicator in content_sample for indicator in sql_indicators):
        return report_finding('DATABASE_DUMP', url, path)

Snallygaster also includes DNS-based security checks using dnspython, testing for SPF record misconfigurations, CAA record presence, and DNSSEC validation. This extends its utility beyond pure HTTP scanning into broader infrastructure security assessment. The single-file design means adding new tests is as simple as defining a new function and adding it to the test registry—no complex plugin architecture or update mechanisms required.

One clever optimization is the tool's handling of rate limiting and error states. Rather than aggressively hammering servers, it includes respectful delays and terminates checks early if a server appears to return the same response for all paths (a common anti-scanning technique). This makes Snallygaster suitable for scanning your own infrastructure in CI/CD pipelines without triggering alerts or impacting performance.

Gotcha

Snallygaster's narrow focus is both its strength and limitation. It only checks for known file paths—if a developer named their database dump production-backup-2024.sql instead of database.sql, Snallygaster won't find it. The tool doesn't perform directory brute-forcing or fuzzing, which means creative naming schemes or non-standard deployment patterns can evade detection entirely. For comprehensive file discovery, you'd need to pair it with tools like ffuf or gobuster.

False positives can be problematic on servers with aggressive catch-all configurations. Some frameworks return 200 OK for all requests and render the same template with minor variations, which can confuse Snallygaster's content analysis. The tool tries to detect this pattern, but edge cases exist where you'll need to manually verify findings. Additionally, servers behind WAFs or DDoS protection services (like Cloudflare) may block or challenge Snallygaster's requests, requiring manual intervention or configuration of custom headers and delays that the tool doesn't natively support.

Verdict

Use if: You need rapid reconnaissance for security audits, bug bounties, or pre-deployment security gates in CI/CD pipelines. Snallygaster excels at finding embarrassing misconfigurations that are surprisingly prevalent—exposed Git repositories, backup files, and configuration leaks that take 30 seconds to check but can yield complete system compromise. It's perfect for security teams building automated scanning into deployment workflows or researchers doing initial target assessment. Skip if: You need comprehensive vulnerability scanning beyond file exposure (use Nuclei or Burp Suite), want to perform aggressive directory brute-forcing (use ffuf or gobuster), or are targeting applications with heavy WAF protection where you need fine-grained request control. Also skip if you're looking for a maintained enterprise tool with vendor support—Snallygaster is a focused community project, not a commercial scanner with SLAs.