Source Code Disclosure - /WEB-INF Folder
ID |
source_code_disclosure_web_inf_folder |
Severity |
critical |
Kind |
Information Disclosure |
CWE |
541 |
Description
-
Source Code Disclosure - /WEB-INF Folder: Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.
-
Properties File Disclosure - /WEB-INF folder: A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.
Rationale
The WEB-INF directory contains sensitive Java application internals that should never be publicly accessible. Attackers can decompile exposed .class files to recover source code, revealing business logic, authentication mechanisms, and security controls. Properties files often contain database credentials, API keys, encryption secrets, and internal service endpoints. This information provides attackers with everything needed to compromise the application and its backend infrastructure.
Remediation
The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach.