Source Code Disclosure
- CWE 200
- CWE 538
- OWASP 2017-A3
Source Code Disclosure occurs when an application unintentionally exposes its source code to unauthorized users. This can happen through misconfigured web servers, backup files, version control directories, debug endpoints, or improper error handling. Exposure of source code can give attackers detailed insight into the application's logic, vulnerabilities, and sensitive information such as credentials, API keys, and database connection strings. Source code disclosure significantly increases the likelihood and ease of exploiting other vulnerabilities.
Common patterns leading to source code disclosure:
- Serving files with source code extensions (
.php,.java,.py,.js,.config) via the web server. - Backup or temporary files (
.bak,.old,.swp,.zip) accessible on the web root. - Version control directories (e.g.,
.git,.svn) left accessible. - Detailed error messages that include snippets of source code.
- Misconfigured server-side template rendering exposing templates as plain text.
Impacts:
- Information Disclosure: Reveals application logic, database schemas, credentials, and sensitive business logic.
- Facilitates Exploitation: Attackers can identify vulnerabilities more easily (SQLi, XSS, LFI, RFI, etc.).
- Intellectual Property Theft: Proprietary code and algorithms may be stolen.
- Regulatory Risk: Exposure of personal or sensitive data in code may violate compliance laws.
Detection indicators:
- Requests for source files returning actual source code instead of executed results.
- Public access to
.git,.svn, or other version control directories. - Existence of backup, temporary, or test files in web-accessible directories.
- Web server misconfigurations serving raw code instead of executing scripts.
Remediation
Preventing source code disclosure requires securing web servers, directories, and version control systems:
Do Not Serve Source Files Directly
Ensure the web server executes scripts instead of serving them as plain text. Verify MIME types and server execution settings.Move Sensitive Files Outside Web Root
Store configuration files, templates, and other non-public code outside the web-accessible directory.Disable Directory Listings
Prevent automatic directory browsing to avoid exposing code files unintentionally.Remove Backup and Temporary Files
Audit and remove.bak,.old,.swp, and other backup files from production servers.Secure Version Control Directories
Block access to.git,.svn, or similar directories. Use server configuration or.htaccessrules to deny access.Sanitize Error Messages
Avoid including code snippets or detailed file paths in error responses.Use Least Privilege for File Access
Limit filesystem permissions so the web server cannot read files not required for runtime execution.Security Testing and Code Review
Include source code exposure checks in penetration testing, automated scanners, and security code reviews.Encrypt Sensitive Configurations
When storing secrets or credentials in source code is unavoidable, encrypt them and retrieve at runtime securely.
References
Search Vulnerability
You may also see
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected