# Finding Backup Files in Bug Bounty: A Targeted Fuzzing Approach

By /

Listen to this Post

A part of my recon automation handles scraping and endpoint identification (by analyzing source code, fuzzing, etc.). Once I’ve extracted all the endpoints from a subdomain, my automation looks for any script files (.php, .asp, .jsp, etc.) and then attempts to find backups of those scripts to access the source code.

How It Works:

1. Identify script files (e.g., `login.php`, `admin.jsp`).

  1. Generate a targeted wordlist by appending common backup extensions (e.g., .bak, .old, .backup).
  2. Perform fuzzing with the custom wordlist to discover backup files.

Example wordlist for `login.php`:

login.php.bak 
login.php.old 
login.php.backup 
login.php~ 
login.php.swp

You Should Know:

1. Automated Backup Discovery with ffuf

ffuf -w custom_backup_wordlist.txt -u https://target.com/FUZZ -mc 200 -v

-w: Specifies the wordlist.
-u: Target URL with `FUZZ` placeholder.
-mc 200: Matches HTTP 200 (success) responses.

#### **2. Extracting Script Files from Wayback Machine**

waybackurls target.com | grep -E '.php$|.asp$|.jsp$' > scripts.txt

– Filters archived URLs for script files.

#### **3. Generating Custom Wordlists**

sed 's/$/.bak/' scripts.txt > backup_wordlist.txt 
sed 's/$/.old/' scripts.txt >> backup_wordlist.txt

– Appends backup extensions dynamically.

#### **4. Checking for Version Control Leaks**

gobuster dir -u https://target.com -w /usr/share/wordlists/common-backups.txt -x .git,.svn

– Searches for `.git` or `.svn` directories.

#### **5. Analyzing Backup Files**

If a backup file is found (config.php.bak), inspect it for:
– Hardcoded credentials ($db_pass = "secret123";).
– API keys, encryption keys, or misconfigurations.

#### **6. Preventing False Positives**

ffuf -w backup_wordlist.txt -u https://target.com/FUZZ -fr "404 Not Found"

-fr: Filters out responses containing “404 Not Found.”

### **What Undercode Say:**

Backup files remain a goldmine in bug bounty hunting, often exposing source code, credentials, and hidden endpoints. While modern systems have reduced such leaks, targeted fuzzing still uncovers critical vulnerabilities. Always:
Prioritize custom wordlists over generic ones.
Automate backup checks in reconnaissance workflows.
Validate findings to avoid false positives.

### **Expected Output:**

A structured recon process that systematically hunts for backup files, increasing the chances of discovering sensitive data leaks.

*URLs referenced:*

References:

Reported By: Martinmarting Another – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: