ZAP – Hidden File Found

Details
Alert ID	40035
Alert Type	Active
Status	release
Risk	Medium
CWE	538
WASC	13
Technologies Targeted	All
Tags	CUSTOM_PAYLOADS CWE-538 OWASP_2017_A06 OWASP_2021_A05 POLICY_PENTEST POLICY_QA_FULL WSTG-V42-CONF-05
More Info	Scan Rule Help

Summary

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

Solution

Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.

Other Info

cvs_dir

References

https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html

Code

org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRule.java