Extract hidden filenames and folder paths from .DS_Store files online.
Drop .DS_Store file here
or click to select
Drop a .DS_Store file here, or click to select
Parse and analyze exposed .DS_Store files to extract hidden filenames, directory paths, and folder metadata. Free browser-based tool for security researchers and penetration testers.
A .DS_Store file is a hidden system file automatically created by macOS Finder in every folder a user opens. It stores folder-specific settings such as icon positions, view preferences, window sizes, background images, and sorting options. The name stands for Desktop Services Store. These files are invisible on macOS by default, but they frequently appear on web servers, public repositories, and shared archives when developers deploy folders directly from a Mac without filtering hidden files. When a .DS_Store file is publicly accessible on a web server, it can reveal the names of files and subdirectories that are not otherwise linked or listed anywhere on the site.
Input:
Drop or select any .DS_Store file collected from a web server, Git repository, or local macOS folder.
Output:
admin/ backup/ config.php database.sql index.php uploads/ .env.bak README.md
What is a .DS_Store file and why does it matter for security?
A .DS_Store file is a hidden metadata file created by macOS Finder. It stores layout preferences for a folder. When this file is accidentally uploaded to a web server or committed to a public repository, it can expose filenames, backup paths, configuration file names, and internal directory structures that were never meant to be public. Attackers and bug bounty hunters look for exposed .DS_Store files as part of web reconnaissance to discover hidden resources.
How do .DS_Store files get exposed on web servers?
They are most often exposed when a developer uploads a folder from their Mac directly to a web server using FTP, rsync, or a deployment script that does not exclude hidden files. They also appear in public Git repositories when a developer commits without a proper .gitignore, and in ZIP archives created on macOS that include hidden system files. Web servers with directory listing or permissive file access rules make these files directly downloadable.
How can I find a .DS_Store file on a target web server?
Request the URL directly: https://example.com/.DS_Store. If the server returns a file download instead of a 404, the file is exposed. Automated recon tools and web crawlers often check this path as a standard step. You can also check subdirectories such as https://example.com/uploads/.DS_Store or https://example.com/admin/.DS_Store.
What information can a .DS_Store file reveal?
A .DS_Store file can reveal file names, subdirectory names, backup file names such as database.sql or config.bak, hidden admin paths, source code file names, asset directories, old or forgotten files, and internal folder structure. It does not contain file contents, only names.
Is this tool safe to use for sensitive files?
Yes. The .DS_Store Viewer processes files entirely inside your browser using a client-side TypeScript parser. No file data is uploaded to a server. The analysis happens locally in your browser tab, instantly, with no network requests.
Who uses a .DS_Store viewer?
Security researchers, penetration testers, bug bounty hunters, red team operators, web developers auditing their own deployments, and forensic analysts use .DS_Store viewers to extract hidden path information during reconnaissance, security audits, and cleanup tasks.
How do I prevent .DS_Store files from being exposed?
Add .DS_Store to your .gitignore file to stop them from being committed to repositories. Add a deny rule in your web server configuration to block access to .DS_Store files. Use a deployment pipeline that filters hidden files before uploading. Run a scan on your public web root to find and remove any existing .DS_Store files. On Apache you can add: Deny from all inside a Files directive targeting .DS_Store.
Can .DS_Store files be found recursively across a site?
Yes. Every subdirectory that was ever opened in macOS Finder may contain its own .DS_Store file. After finding one at the root, check common subdirectories like /uploads, /admin, /assets, /static, /backup, and /files. The filenames extracted from each .DS_Store can guide further enumeration.