Properties File Disclosure - /WEB-INF folder

Risk:
High

Type:
Active

CWE:
541

Summary: A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Solution: The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder.

Other info: The reference to the properties file was found in the dis-assembled Java source code for Java class [https://example.com/foo.class].

References

https://owasp.org/www-community/attacks/Forced_browsing

https://cwe.mitre.org/data/definitions/425.html