Possible Database Name Disclosure
Description
The application exposes database names through error messages, configuration files, or other publicly accessible resources. Database names can provide attackers with valuable reconnaissance information about the application's backend infrastructure, making targeted attacks more effective.
This alert may be a false positive, manual confirmation is required.
Remediation
Take the following steps to prevent database name disclosure:
1. Review error handling: Ensure database errors are caught and generic error messages are displayed to users. Log detailed errors server-side only.
2. Secure configuration files: Move database configuration files outside the web root or restrict access using web server configurations:
# Apache .htaccess example
Require all denied
# Nginx example
location ~* \.(ini|conf|config|yml|yaml)$ {
deny all;
}3. Remove sensitive files: Delete any backup files, documentation, or configuration samples from production servers that may contain database names.
4. Implement custom error pages: Configure your application framework to use generic error pages that do not reveal technical details about the database or application structure.