General Information

Source Code Disclosure via Accessible Source Code Folder

Variants:
Direct 

Also Known As:
WEB-INF Directory Information Disclosure, bin Directory Information Disclosure

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
ASP.Net, JSP

Target Type:
Web Application

Affected Mechanisms:
Wen Server Configuration, Web Application Configuration, Hardening

Invented In:
01/01/1999

Added In:
01/01/2015


Vector Operation Method:
The server side source code of web applications can be disclosed by directly accessing directories that store server side source code libraries in technology specific directories such as the bin directory in asp.net or the WEB-INF directory in java. If the access to these directories is not protected, then directly accessing the compiled library files - xml, class, lib or Dll, would cause them to be downloaded to the attacker station, where they can later be decompiled.


Direct Variant:

Source Code Disclosure via Accessible Folder

Also Known As:
Source Code Disclosure via Accessible Source Code Folder

Typical Severity:
Major

Learn More: