Snallygaster – Scan for Secret Files on HTTP Servers

snallygaster is a tool that looks for files accessible on web servers that shouldn’t be public and can pose a security risk. Typical examples include publicly accessible git repositories, backup files potentially containing passwords or database dumps. In addition it contains a few checks for other security vulnerabilities.

snallygaster - Tool to scan for secret files on HTTP servers
snallygaster – Tool to scan for secret files on HTTP servers

Available options for the scan are the following:

  • select a random user agent to send and scan remote host. this will allow to bypass user-agent block list.
  • Skip scanning www.[host] option.
  • Don’t scan http it will be possible to crawl one protocol in case that the same web content available on the encrypted version.
  • Don’t scan https this to avoid scanning https.
  • Enable all info tests (no bugs/security vulnerabilities)
  • Show noisy messages that indicate boring bugs, but no security issue
  • PATH Base path on server (scans root dir by default). you can select custom directories as needed.
  • Produce JSON output
  • Show detailed debugging info

he tool will scan for standard web files such as standard php files ndex.php’, ‘wp-config.php’, ‘configuration.php, config.php’, ‘’, ‘settings.php’. There is also verification for SQL code error and in depth scanning of the web content.

You can read more and download the tool over here:

Notify of
Inline Feedbacks
View all comments