Source Code Disclosure - /WEB-INF Folder

Risk:
High

Type:
Active

CWE:
CWE-541

Summary: Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Solution: The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.

Other info: class A { }

References

https://owasp.org/www-community/attacks/Forced_browsing

https://cwe.mitre.org/data/definitions/425.html

Free security scan for your website

Don't show website scan report rating on the leaderboard