Details
Alert ID 40035
Alert Type Active
Status release
Risk Medium
CWE 538
WASC 13
Technologies Targeted All
Tags CUSTOM_PAYLOADS
CWE-538
OWASP_2017_A06
OWASP_2021_A05
POLICY_QA_FULL
WSTG-V42-CONF-05
More Info Scan Rule Help

Summary

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

Solution

Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.

Other Info

cvs_dir

References

Code

org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java