Security Test: Source code disclosure¶
Description¶
Default Severity:
When a website accidentally shows its own code, attackers can see exactly how things work behind the scenes. This exposure often happens because the server isn’t set up properly to hide sensitive files, or error messages reveal too much detail. If someone can look at your source code, they might figure out how to break into your system by identifying weak spots, sensitive configurations, or hidden credentials. The risk is that an attacker can then craft more targeted attacks that can lead to bigger breaches. Developers can often overlook proper file permissions, secure error handling, or misconfigure their servers, which opens the door to this kind of vulnerability.
Reference:
Configuration¶
Identifier:
information_disclosure/code
Examples¶
All configuration available:
checks:
information_disclosure/code:
skip: false # default
options:
diff_threshold: 0.1 # default
size_threshold: 200 # default
small_response_diff_threshold: 0.4 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
diff_threshold | number | 0.1 | The percentage by which 2 responses can differ and still be considered identical. |
size_threshold | number | 200 | The threshold size indicating whether a response is small or not. |
small_response_diff_threshold | number | 0.4 | The percentage by which 2 small responses can differ and still be considered identical. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.4 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |