Back to list

Information Disclosure via X-SourceMap Header

Description

The 'X-SourceMap' header provides the location of JavaScript source map files, which can inadvertently reveal the application's original source code structure, logic, and potentially sensitive data or API endpoints. Attackers who obtain these source maps can perform reverse engineering, discover hardcoded secrets, and gain deeper insights into the front-end architecture. Ultimately, exposing source map paths lowers the barrier for malicious actors to locate vulnerabilities in your codebase, leading to more effective exploitation methods.

Remediation

Remove or restrict access to the 'X-SourceMap' header and any public-facing source map files. Configure your build process to exclude source maps from production deployments or secure them behind authentication if necessary for debugging. If you still need source maps for monitoring, use a private or secured service that does not expose them publicly. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests probing for '.map' files. Regularly audit your deployment pipeline to ensure source maps are not leaked inadvertently, and maintain secure coding practices to avoid embedding sensitive data in front-end code.

References

https://developer.mozilla.org/en-US/docs/Tools/Debugger/How_to/Use_a_source_maphttps://owasp.org/www-community/attacks/Information_exposure

Severity

HIGH

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5