Infrastructure / Deployment Exposure
Critical impact. If this is found on your site, treat it as urgent. It can lead to real damage and is worth fixing before anything else.
What it is
Flags database/management ports reachable from the internet (MySQL, Postgres, Mongo, Redis, Docker API), exposed metrics/debug endpoints, missing HTTPS redirect, and server-version disclosure.
How attackers abuse it
A sensitive file or endpoint is served publicly (.env, .git, backups, source maps, debug pages). One exposed file can hand over every secret or your full source at once.
Attacker playbook
- 1Request common sensitive paths directly in the browser.
- 2If one returns content, download it.
- 3Read the secrets or source it reveals and use them to go further.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native, nmap and naabu. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
If this is in your report: how to fix it
- Remove sensitive files from anything web-served and rotate any secrets they held.
- Block access to dotfiles, version-control folders, and backups at the server or host.
- Do not ship source maps or debug endpoints to production unless you mean to.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free// related capabilities