Source Code Disclosure via Accessible Source Code Folder
Variants:
Direct
Also Known As:
WEB-INF Directory Information Disclosure, bin Directory Information Disclosure
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
ASP.Net, JSP
Target Type:
Web Application
Affected Mechanisms:
Wen Server Configuration, Web Application Configuration, Hardening
Invented In:
01/01/1999
Added In:
01/01/2015
Vector Operation Method:
The server side source code of web applications can be disclosed by directly accessing directories that store server side source code libraries in technology specific directories such as the bin directory in asp.net or the WEB-INF directory in java. If the access to these directories is not protected, then directly accessing the compiled library files - xml, class, lib or Dll, would cause them to be downloaded to the attacker station, where they can later be decompiled.
