Behat Configuration File Detected

medium Web App Scanning Plugin ID 115092

Language:

Synopsis

Behat Configuration File Detected

Description

Behat is a Behavior Driven Development (BDD) framework for PHP. It allows the execution of feature documentation written in business-facing text. Behat uses a configuration file named behat.yml to set up various options and parameters for running tests.

The presence of the behat.yml configuration file on a web server may expose sensitive information, such as database credentials, API keys, or other configuration details that could be exploited by an attacker.

Solution

Ensure that the configuration file is not deployed with the application or, at least, is not exposed in a web server directory by setting proper permissions on it.

See Also

https://docs.behat.org/en/latest/user_guide/configuration.html

https://github.com/Behat/Behat

Plugin Details

Severity: Medium

ID: 115092

Type: remote

Family: Data Exposure

Published: 1/5/2026

Updated: 1/5/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2