Snallygaster: Finding the Secrets Web Servers Accidentally Expose
Hook
Production web servers routinely leak Git repositories, database dumps, and backup files containing credentials. The tooling to find these exposures is a focused Python script with minimal dependencies.
Context
The most damaging security breaches often start with the simplest mistakes: a .git directory left accessible on a production server, a database backup copied to the web root for ‘just a minute,’ a configuration file with hardcoded AWS keys pushed live during a rushed deployment. These aren’t sophisticated zero-days—they’re the digital equivalent of leaving your house keys under the doormat. Yet they persist across Fortune 500 companies and weekend projects alike.
Snallygaster emerged from this reality. Created by security researcher Hanno Böck, it’s a reconnaissance tool designed to catch the low-hanging fruit that traditional vulnerability scanners often miss or bury in noise. Instead of testing for SQL injection or XSS, snallygaster asks simpler questions: Is your .git/config file publicly readable? Did you leave backup files in the web root? Can I download your configuration files? The tool’s singular focus—finding files that should never be public—makes it fast, portable, and effective at revealing what security professionals call ‘stupid mistakes’ that carry serious consequences.
Technical Insight
Snallygaster’s architecture reflects a deliberate choice: simplicity over comprehensiveness. The scanner is implemented as a Python 3 script with minimal dependencies—just urllib3 for HTTP operations, lxml for parsing responses, and dnspython for DNS checks. This design makes it trivially easy to deploy in any environment where Python 3 runs, from CI/CD pipelines to penetration testing engagements.
The scanning approach is pattern-based reconnaissance. Snallygaster maintains a curated list of common file paths and security misconfigurations, then issues targeted HTTP requests to check each one. Unlike directory brute-forcers that pound servers with thousands of requests from wordlists, snallygaster queries specific, high-value targets. When you point it at a domain, it methodically probes for exposed version control directories (.git, .svn, .hg), backup files, configuration files, and other artifacts that reveal too much about a system’s internals.
Installation requires a single pip command, or you can download and execute the script directly:
# Install via pip
pip3 install snallygaster
# Or install dependencies manually on Debian/Ubuntu
apt install python3-dnspython python3-lxml python3-urllib3
# Run against a target
snallygaster https://example.comThe tool’s value lies in its catalog of leak patterns. The repository includes a TESTS.md file documenting every check, which doubles as an educational resource for understanding what each vulnerability means. For example, an exposed .git directory doesn’t just leak source code—it potentially exposes the entire development history, including commits that ‘deleted’ credentials but remain in Git history.
Snallygaster’s straightforward design means integrating it into security workflows requires minimal setup. Security teams embed it in pre-deployment checks, CI pipelines run it against staging environments, and penetration testers use it as a first-pass reconnaissance step. The minimal dependencies and simple architecture make it suitable for environments where installing heavyweight scanning platforms isn’t practical.
Beyond simple file existence checks, the tool appears to include checks for security misconfigurations and other vulnerabilities, as the README mentions it ‘contains a few checks for other security vulnerabilities’ beyond just file leaks. This broader approach to ‘easily detectable problems’ means running snallygaster can reveal multiple issues in a single scan.
Gotcha
Snallygaster’s laser focus is simultaneously its strength and limitation. It only finds known patterns—the exposed .git directories, backup files, and predictable misconfigurations. Custom applications with non-standard file structures or proprietary frameworks may have exposure patterns the tool doesn’t check for. This is reconnaissance, not comprehensive application security testing.
The HTTP-only approach means snallygaster operates entirely unauthenticated. It can’t test for issues behind login pages, doesn’t understand session management, and won’t discover authorization bypass vulnerabilities. For applications where the interesting security issues require authenticated access, snallygaster provides limited value. Additionally, large-scale scanning can trigger rate limiting or WAF blocks, and on shared hosting environments, you might encounter false positives where other tenants’ files appear accessible due to server misconfigurations. The tool makes no attempt to be stealthy—it’s designed for legitimate security audits, not for evading detection during unauthorized scanning.
Verdict
Use snallygaster if you need a quick sanity check before deploying web applications, want to integrate lightweight security scanning into CI/CD pipelines, or are conducting initial reconnaissance during penetration tests. It excels at catching the mistakes that lead to credential leaks and source code exposure—the kind that make headlines when attackers find them first. Its portability and minimal dependencies make it ideal for DevOps teams who want security checks without complex tooling overhead. Skip it if you need comprehensive application security testing that includes authentication flows, business logic vulnerabilities, or custom attack scenarios. Snallygaster finds known exposure patterns efficiently; for everything else, you’ll need Burp Suite, OWASP ZAP, or custom testing. Think of it as your first line of defense against deploying obviously broken configurations, not as a replacement for thorough security assessment.
