logo

Properties File Disclosure - /WEB-INF folder

  • Risk:
  • High

  • Type:
  • Active
Summary

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Solution

The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder.

Other info
The reference to the properties file was found in the dis-assembled Java source code for Java class [https://example.com/foo.class].
References

https://owasp.org/www-community/attacks/Forced_browsing

https://cwe.mitre.org/data/definitions/425.html

Free security scan for your website