Low Severity: Hidden Directory Detected

Question

Low Severity: Hidden Directory Detected

manojtyagi2021 opened this issue 3 years ago · 0 comments

manojtyagi2021 commented 3 years ago

Stratos Version

4.4.0

Frontend Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
Other (please specify below)

Expected behaviour

AppScan DAST scan should not report Hidden Directory Detected vulnerability

Actual behaviour

AppScan DAST scan reports Hidden Directory Detected vulnerability

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Log output covering before error and any error statements

Detailed Description

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site
Causes: The web server or application server are configured in an insecure way

Context

Possible Implementation

Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely