Information Disclosure via X-SourceFiles Header
Description
The 'X-SourceFiles' header may expose internal file structures, paths, or references within the application environment. By analyzing this header, attackers could discover code files, local directories, or project organization details, enabling them to craft more targeted exploits. This information leak can aid in reconnaissance and open opportunities for attacks like directory traversal, source code theft, or discovering hidden endpoints. Ultimately, disclosing file paths and structures through 'X-SourceFiles' broadens the application's attack surface, giving adversaries deeper insight into the internal workings of the system.
Remediation
Remove or sanitize the 'X-SourceFiles' header to ensure no sensitive file or directory information is exposed. Configure the server, reverse proxy, or load balancer to omit this header in production environments. Keep your file structure secure and avoid embedding sensitive paths in response metadata. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor for attempts at leveraging file path data in exploits. Regularly review server configurations and logs to confirm that no internal file references are inadvertently leaked to unauthorized parties.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://developer.mozilla.org/en-US/docs/Web/HTTP/HeadersSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3