ASP.NET Source Code Disclosure Web Vulnerability
Netsparker identified a web page that discloses server side source code. An attacker can obtain the source code of the web application, which can contain sensitive data such as "database connection strings", "username" and "password". Operational and technical logic of the application can also be revealed.
Depending on the nature of the source code disclosed an attacker can mount one or more of the following types of attacks:
- Access the database or other data resources. With the privileges of the account obtained attempt to read, update or delete arbitrary data from the database.
- Access password protected administrative mechanisms such as "dashboard", "management console" and "admin panel" potentially leading to full control of the application.
- Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.
Actions to Take
- Confirm exactly what aspects of the source code is actually disclosed; due limitations of these types of vulnerability it might not be possible to confirm this in all instances. Confirm this is not intended functionality.
- If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server.
- Ensure that the server has all the current security patches applied.
- Remove all temporary and backup files from the web server.
Required Skills for Successful Exploitation
This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application.