The application has JSPs outside of the /WEB-INF directory. It's considered a best practice and security feature to have all JSPs stored inside /WEB-INF, where no files can be browsed to directly. As it stands, the JSP files can be browsed to, which means the application must utilize a compensating security control inside a servlet filter or otherwise to prevent direct access.
Many times, exploitation of these files is difficult to maximize because requisite session or request data aren't present. And, even if unauthorized pages can be browsed to, they are often broken or non-functional because the accompanying server-side action was never fired. However, this is an easy issue to address, and can still lead to serious server-side information leakage.
Recommendation
You should move all JSP files that are not intended to be directly accessed inside the WEB-INF folder. Update your code to forward to these pages in their new locations. This will prevent them from being accessed directly through directory browsing. Note that JSP files that are intended to be browsed directly, such as an error page like 404.jsp, should remain in the application's base directory.
If you're using Spring, consider moving to a TilesViewResolver.
Vulnerability ID: 7ECR-D0FE-N8F3-D8KL
Application Name: AgentMessageGeneratorJava
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/6394f24f-037b-43bb-8ac2-05fa5fb5d862/vulns/7ECR-D0FE-N8F3-D8KL
What Happened?
The following JSP files were observed outside of the /WEB-INF directory:
/evaluate.jsp /write-char-array.jsp /ping.jsp /print.jsp /println.jsp /unvalidated-forward.jsp /write-char-array-with-offset.jsp /write-string.jsp /write-string-with-offset.jsp
What's the risk?
The application has JSPs outside of the /WEB-INF directory. It's considered a best practice and security feature to have all JSPs stored inside /WEB-INF, where no files can be browsed to directly. As it stands, the JSP files can be browsed to, which means the application must utilize a compensating security control inside a servlet filter or otherwise to prevent direct access. Many times, exploitation of these files is difficult to maximize because requisite session or request data aren't present. And, even if unauthorized pages can be browsed to, they are often broken or non-functional because the accompanying server-side action was never fired. However, this is an easy issue to address, and can still lead to serious server-side information leakage.
Recommendation
You should move all JSP files that are not intended to be directly accessed inside the WEB-INF folder. Update your code to forward to these pages in their new locations. This will prevent them from being accessed directly through directory browsing. Note that JSP files that are intended to be browsed directly, such as an error page like 404.jsp, should remain in the application's base directory.
If you're using Spring, consider moving to a TilesViewResolver.
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
https://www.owasp.org/index.php/Insecure_Configuration_Management