Source Code Disclosure - /WEB-INF folder

Remediation

1. Configure web server: Ensure the web server is configured to deny access to the /WEB-INF folder and its contents.
2. Directory restrictions: Implement proper directory access controls to prevent direct access to application files.
3. Code obfuscation: Implement code obfuscation as an additional layer of defense for compiled Java classes.
4. Security testing: Regularly test for exposed sensitive directories and files.

About

Source Code Disclosure in /WEB-INF folder occurs when Java class files in the WEB-INF directory are accessible via web requests. These class files can be decompiled to reveal source code that closely matches the original implementation, exposing business logic, credentials, and other sensitive information.

Risks

High Exposure of Java class files can lead to complete source code disclosure, revealing business logic, hardcoded credentials, API keys, database connection strings, and other sensitive information that attackers can exploit.