Description
Unreferenced resources in web applications may reveal sensitive information and provide attackers with insights into potential attack vectors. These resources, although not directly linked or referenced within the application, can still be accessed by attackers, potentially aiding them in crafting targeted attacks.
Recommendation
To mitigate the risk of information disclosure, promptly remove or restrict access to unreferenced resources. Relying solely on resource obscurity for security is inadequate; instead, ensure that sensitive resources are adequately protected through access controls and other security measures.
References
- OWASP: Review Old Backup and Unreferenced Files for Sensitive Information
- CWE-200
- CWE-552
- CAPEC-118
- OWASP 2021-A5