-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0408
"Possible package management file being served (maybe protected?) at: ${url}"
In the message output the variable ${url} is replaced by the URL of the package management file.
Files of the package manager (e.g. npm for JavaScript, RubyGems for Ruby, Pipenv for Python, Cargo for Rust) used to setup the web server or other applications running on the server should not be published by the web server. The web server sends not the content of the package manager file but an error message "403 Forbidden". With this information a possible attacker knows that the file exists on the web server. The attacker gets the information which programming language and which package management system is used.
It is good to prevent serving the internal data files. A better protection is to hide the existence of the internal data files.
Current (August 2020) the twa script checks the files: '.npmrc', 'package.json', 'package-lock.json', '.gem/credentials', 'Gemfile', 'Gemfile.lock', 'Rakefile', '.pypirc', 'setup.py', 'setup.cfg', 'requirements.txt', 'Pipfile', 'Pipfile.lock', 'Cargo.lock' and 'Cargo.toml'.
Configure the web server to not publish files with internal data. The web server should respond with "404 Not Found" or with a redirection to a standard error page.
There exists several configuration options to suppress files with name (pattern) in a blacklist or files not in whitelist. Search the web for examples.