Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Insecure Deployment: Sitemap
Abstract
Ensure that restricted sensitive resources are not exposed through the sitemap.
Explanation
Mapping of the application attack surface and discovering hidden or restricted resources is a primary goal of an attacker and is often achieved through automated crawling methods. Similarly, search engines discover information about your site by employing software known as "spiders" to crawl the web. After the spiders find a site, they follow links within the site to gather information about all the pages. The spiders periodically revisit sites to find new or changed content.
Sitemap programs provide a detailed view of a website and its organization. Attackers and search bots can use these programs in addition to crawling and indexing a site. Including sensitive and otherwise restricted resources in the sitemap output could expose sensitive functionality to compromise and aid in the attacker discovery process.
Sitemap programs provide a detailed view of a website and its organization. Attackers and search bots can use these programs in addition to crawling and indexing a site. Including sensitive and otherwise restricted resources in the sitemap output could expose sensitive functionality to compromise and aid in the attacker discovery process.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 200
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[9] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[13] Standards Mapping - Web Application Security Consortium Version 2.00 Fingerprinting (WASC-45)
desc.dynamic.xtended_preview.insecure_deployment_sitemap