Source Code Disclosure - /WEB-INF Folder
- Risk:
High
- Type:
- Active
- CWE:
- 541
- Summary
- Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.
- Solution
- The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.
- Other info
- class A { }