Details | |
---|---|
Alert ID | 10045-2 |
Alert Type | Active |
Status | release |
Risk | High |
CWE | 541 |
WASC | 34 |
Technologies Targeted | All |
Tags |
CWE-541 OWASP_2017_A06 OWASP_2021_A05 POLICY_QA_FULL WSTG-V42-CONF-05 |
More Info |
Scan Rule Help |
Summary
A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.
Solution
The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder.Other Info
The reference to the properties file was found in the dis-assembled Java source code for Java class [https://example.com/foo.class].References
- https://owasp.org/www-community/attacks/Forced_browsing
- https://cwe.mitre.org/data/definitions/425.html