Source Code Disclosure via Accessible Source Code Folder
Also Known As:
WEB-INF Directory Information Disclosure, bin Directory Information Disclosure
Wen Server Configuration, Web Application Configuration, Hardening
Vector Operation Method:
The server side source code of web applications can be disclosed by directly accessing directories that store server side source code libraries in technology specific directories such as the bin directory in asp.net or the WEB-INF directory in java. If the access to these directories is not protected, then directly accessing the compiled library files - xml, class, lib or Dll, would cause them to be downloaded to the attacker station, where they can later be decompiled.