| Details | |
|---|---|
| Alert ID | 10045-1 |
| Alert Type | Active |
| Status | release |
| Risk | High |
| CWE | 541 |
| WASC | 34 |
| Technologies Targeted | All |
| Tags |
CWE-541 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CONF-05 |
| More Info |
Scan Rule Help |
Summary
Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.
Solution
The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.Other Info
class A { }References
- https://owasp.org/www-community/attacks/Forced_browsing
- https://cwe.mitre.org/data/definitions/425.html