web.xml configuration file disclosure
Description
The WEB-INF/web.xml file is a critical deployment descriptor that contains configuration details for Java web applications running on servlet containers like Tomcat, including servlet mappings, security constraints, and initialization parameters. This file should never be publicly accessible as it resides in the protected WEB-INF directory. However, the application is vulnerable to path traversal attacks that allow unauthorized users to read this file using directory traversal sequences (e.g., ../) or encoding variations (e.g., URL encoding, Unicode encoding), bypassing access controls.
Remediation
Immediately configure the web server and application server to prevent access to files within the WEB-INF directory through path traversal techniques:
1. Verify servlet container configuration: Ensure your servlet container (Tomcat, Jetty, etc.) is properly configured to block direct access to WEB-INF and META-INF directories by default.
2. Implement input validation: Validate and sanitize all user input used in file path operations. Reject requests containing directory traversal sequences such as ../, ..\, and their encoded variants.
3. Add web server rules: Configure your web server (Apache, Nginx, IIS) to explicitly deny access to sensitive directories:
Apache (.htaccess or httpd.conf):
<LocationMatch "^/WEB-INF/.*">
Require all denied
</LocationMatch>Nginx:
location ~* ^/WEB-INF/ {
deny all;
return 404;
}4. Use a Web Application Firewall (WAF): Deploy a WAF with rules to detect and block path traversal attempts.
5. Update and patch: Ensure your servlet container and web server are running the latest stable versions with all security patches applied.
6. Test thoroughly: After implementing fixes, verify that the web.xml file cannot be accessed using various encoding techniques and traversal patterns.