Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Low Severity: Hidden Directory Detected #4973

Open
2 of 9 tasks
manojtyagi2021 opened this issue Sep 17, 2021 · 0 comments
Open
2 of 9 tasks

Low Severity: Hidden Directory Detected #4973

manojtyagi2021 opened this issue Sep 17, 2021 · 0 comments
Labels
community Community Raised Issue

Comments

@manojtyagi2021
Copy link

Stratos Version

4.4.0

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

AppScan DAST scan should not report Hidden Directory Detected vulnerability

Actual behaviour

AppScan DAST scan reports Hidden Directory Detected vulnerability

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Log output covering before error and any error statements

image

Detailed Description

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site
Causes: The web server or application server are configured in an insecure way

Context

Possible Implementation

Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely

@richard-cox richard-cox added the community Community Raised Issue label Sep 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community Community Raised Issue
Projects
None yet
Development

No branches or pull requests

2 participants