Sitemap Detected
- CWE 425
- WASC 34
Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality. By making educated guesses via brute forcing an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming convention and reside in standard locations. These can include temporary files, backup files, logs, administrative site sections, configuration files, demo applications, and sample files. These files may disclose sensitive information about the website, web application internals, database information, passwords, machine names, file paths to other sensitive areas, etc...
This will not only assist with identifying site surface which may lead to additional site vulnerabilities, but also may disclose valuable information to an attacker about the environment or its users.
Remediation
For content not required to be world accessible either proper access controls should be applied, or removal of the content itself.
References
Search Vulnerability
You may also see
- Readable .htaccess file
- apc.php page
- Webalizer script
- phpinfo page
- Apache perl-status Enabled
- Apache server-info Enabled
- Apache server-status Enabled
- JetBrains .idea project directory
- AWStats script
- elmah.axd Detected
- Core dump checker PHP script
- trace.axd Detected
- .DS_Store file
- Macromedia Dreamweaver database scripts
- Help file
- robots.txt Detected
- Sitemap Detected
- crossdomain.xml Detected
- Silverlight Client Access Policy
- Laravel log file
- Code Repository
- Configuration File
- Administration page
- Predictable Resource Location
- Code Repository
- Configuration File
- Administration page