Low Severity: Hidden Directory Detected #4973
Description
Stratos Version
4.4.0
Frontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
AppScan DAST scan should not report Hidden Directory Detected vulnerability
Actual behaviour
AppScan DAST scan reports Hidden Directory Detected vulnerability
Steps to reproduce the behavior
AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/
The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.
Log output covering before error and any error statements
Detailed Description
The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.
Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site
Causes: The web server or application server are configured in an insecure way
Context
Possible Implementation
Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely