Source Code Disclosure - /WEB-INF Folder

Risk:
High

Type:
Active

CWE:
CWE-541

Summary: Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Solution: The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.

Other info: class A { }

References

https://owasp.org/www-community/attacks/Forced_browsing

https://cwe.mitre.org/data/definitions/425.html

Latest Security News

Top CVE List

Top Alert List

Content Security Policy (CSP) Header Not Set
MediumContent Security Policy (CSP) Header Not Set
MediumMissing Anti-clickjacking Header
CSP
InformationalInformation Disclosure - Suspicious Comments
LowCross-Domain JavaScript Source File Inclusion
MediumAbsence of Anti-CSRF Tokens
InformationalRe-examine Cache-control Directives
LowCSP: X-Content-Security-Policy
InformationalModern Web Application

Common CWEs

Free online web security scanner

Don't show website scan report rating on the leaderboard