⚠️ EDUCATIONAL DEMO: Shows what an attacker finds when probing common sensitive paths on a school portal. All file contents shown are fictional examples.

Sensitive Paths Exposed Demo

Attackers routinely probe school portals for predictable paths that return sensitive files. Click any 200 OK row to see what they find.

THE SECURITY RISK IN PLAIN ENGLISH

Every CMS, framework, and web host leaves predictable files in predictable locations. Attackers run automated scanners that check thousands of paths in seconds: backup files, admin panels, configuration files, .git repositories, .env files, database dumps.

When these paths return 200 OK instead of 404 Not Found, the attacker gets credentials, database passwords, API keys, and access to admin panels — often with a single HTTP request, no hacking required.

The fix: Move sensitive files outside the web root. Return 404 for paths that shouldn't be public. Restrict admin panels by IP. Never commit .env files or backups to publicly accessible locations.

❌ What Attackers Find

  • .env files with database passwords and API keys
  • /backup/ directories with full database dumps (.sql)
  • /admin/ panels accessible without IP restriction
  • /.git/ exposing full source code history
  • phpinfo.php revealing server configuration
  • wp-config.php backups with WordPress database credentials

✅ Fix (Defense in Depth)

  • Move .env, config, and backup files above the web root (outside public_html/)
  • Add to .htaccess: deny from all for sensitive directories
  • Block /.git/ in Nginx: location ~ /\\.git { deny all; }
  • Set up WAF rules to return 403/404 for known sensitive paths
  • Restrict /admin/ to school IP ranges only
  • Delete phpinfo.php, test files, and old backups from the server