Details
Alert ID 10045-1
Alert Type Active
Status release
Risk High
CWE 541
WASC 34
Technologies Targeted All
Tags CWE-541
OWASP_2017_A06
OWASP_2021_A05
POLICY_QA_FULL
WSTG-V42-CONF-05
More Info Scan Rule Help

Summary

Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Solution

The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.

Other Info

class A { }

References

Code

org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java