Interactive Demo

What Happens When Config Files Are Exposed

Exposed .env files, git config, and server status pages hand attackers your database credentials, API keys, and infrastructure details. Watch it happen, then lock them down.

A deployed web application

MyApp looks normal from the outside, but common config files are publicly accessible on the server.

An attacker scans for exposed paths

.env, .git/config, and server-status reveal database credentials, API keys, and infrastructure details.

Server rules block all access

Configure deny rules and every probe returns 403 Forbidden or 404 Not Found.

Start the Demo

1Scan/2Expose/3Secure

Below is MyApp, a deployed web application. It looks normal, but sensitive files are publicly accessible.

https://myapp.devTarget

MyApp

FeaturesPricingDocs

Ship faster with MyApp

The modern platform for building production-ready applications.

Get Started

attacker@kali:~Attacker

Waiting to begin reconnaissance scan...

What are exposed files?

Web servers can accidentally serve configuration files, version control history, and status pages that were never meant to be public. Attackers use automated tools to check hundreds of common paths like /.env, /.git/config, and /server-status.

The vulnerability below

MyApp is deployed with no server rules blocking access to dotfiles or status endpoints. An attacker can read database credentials, API keys, and git repository details with a simple HTTP request.

Only available with ShipShield ($25)

Go Deeper With a Full Codebase Audit

The free scan checks what's visible from the outside. A full ShipShield audit connects to your GitHub repo and analyzes your actual source code, dependencies, infrastructure, and more, covering 5,000,000+ vulnerability signatures.

Exposed Secrets

API keys, credentials, and tokens buried in code and git history

Auth & Authorization

Missing auth checks, weak JWT config, privilege escalation paths

Injection Vulnerabilities

SQL injection, XSS, SSRF, and command injection in your source code

Dependency CVEs

Known vulnerabilities across npm, pip, cargo, and go packages

AI Business Logic Review

AI-powered analysis of input validation, race conditions, and logic flaws

Sensitive Data Flows

PII logging, unencrypted data transmission, and storage issues

Infrastructure Security

Rate limiting, request size limits, and file upload restrictions

Docker & Container Scanning

Container misconfigs, exposed ports, running as root, OS-level CVEs

License Compliance

GPL/AGPL copyleft detection across all your dependencies

SBOM Generation

SPDX-format Software Bill of Materials for compliance and audits

Supply Chain Security

Typosquatting detection and suspicious package analysis

Professional PDF Report

Detailed findings with severity ratings, code references, and AI-powered fix suggestions

Get a Full Codebase Audit for $25

Scans complete in 2-8 minutes · Automatic refund if scan fails