Detail

Web.config File Detected

Severity: Information

Summary #

Netsparker detected a possible ASP.NET configuration file (web.config).

Impact #
Depending on the web.config file, database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application might be revealed. With such information, an attacker can mount the following types of attacks:
  • Access the database or other data resources. Depending on the privileges of the account obtained, it may be possible to read, update or delete arbitrary data from the database.
  • Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
  • Develop further attacks by investigating the application configuration.
Actions To Take #
  1. Confirm the web.config file is actually the web application's web.config file.
  2. If it is a real web.config file, change your configuration to prevent public users from accessing it. If it is not, then remove it from the web server.
Classifications #
CAPEC-87; CWE-425; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-34; OWASP PC-C6; OWASP 2013-A7; OWASP 2017-A5 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Tags

OWASP 2013-A7  OWASP 2017-A5 

Related Vulnerabilities

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo

Netsparker Ltd
220 Industrial Blvd Ste 102
Austin, TX 78745

© Netsparker 2021, by Invicti

RESOURCES

USE CASES

WEB SECURITY

COMPANY

© Netsparker 2021, by Invicti

Subscription Services Agreement Data Protection Policy Information Security Policy Privacy Policy Sitemap