Details
Alert ID 10045-2
Alert Type Active
Status release
Risk High
CWE 541
WASC 34
Technologies Targeted All
Tags CWE-541
OWASP_2017_A06
OWASP_2021_A05
POLICY_QA_FULL
WSTG-V42-CONF-05
More Info Scan Rule Help

Summary

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Solution

The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder.

Other Info

The reference to the properties file was found in the dis-assembled Java source code for Java class [https://example.com/foo.class].

References

Code

org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java