Web.config File Detected
Severity: Information
Summary
Netsparker detected a possible ASP.NET configuration file (web.config).
Impact
Depending on the
web.config file, database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application might be revealed. With such information, an attacker can mount the following types of attacks:- Access the database or other data resources. Depending on the privileges of the account obtained, it may be possible to read, update or delete arbitrary data from the database.
- Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
- Develop further attacks by investigating the application configuration.
Actions To Take
- Confirm the
web.configfile is actually the web application'sweb.configfile. - If it is a real
web.configfile, change your configuration to prevent public users from accessing it. If it is not, then remove it from the web server.
Classifications
CAPEC-87, WASC-34, OWASP PC-C6, OWASP 2013-A7
, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
