Description
File and directory paths reveal information about the structure of the file system of the underlying OS. While this information does not directly impact the target, it provides valuable insights attackers can exploit. Attackers can leverage disclosed paths to gain knowledge of the system’s configuration and potentially identify additional attack vectors.
Recommendation
If the disclosure is unintentional, address the underlying reason causing it and ensure that paths are not revealed due to errors or misconfigurations. Implement robust access controls and input validation to prevent unintended disclosure of sensitive information.
References
- Microsoft Security Development Lifecycle (SDL)
- OWASP: Information Leakage
- CWE-200
- CAPEC-118
- OWASP 2021-A5