Low Severity: Hidden Directory Detected

[manojtyagi2021]

Stratos Version

4.4.0

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

AppScan DAST scan should not report Hidden Directory Detected vulnerability

Actual behaviour

AppScan DAST scan reports Hidden Directory Detected vulnerability

Steps to reproduce the behavior

AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io/

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Log output covering before error and any error statements

Detailed Description

The test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the
directory, even though access is not allowed.

Risk: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site
Causes: The web server or application server are configured in an insecure way

Context

Possible Implementation

Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely