CWE-402: Transmission of Private Resources

Overview

Transmission of private resources into a new sphere occurs when applications unintentionally expose private files, internal data structures, or restricted resources to unauthorized parties through web responses, API endpoints, or error messages. This includes serving files outside the webroot, exposing backup files (.bak, ~, .swp), returning internal data structures in API responses, or leaking private data through misconfigured proxies and load balancers.

OWASP Classification

A01:2025 - Broken Access Control

Risk

Medium to High: Can expose configuration files with credentials, source code revealing business logic and vulnerabilities, backup files with sensitive data, internal system information aiding reconnaissance, and private user data violating confidentiality requirements.

Remediation Steps

Core principle: Never serve files or data from outside designated public directories; implement strict access controls that default-deny and explicitly allowlist public resources.

Restrict File Serving to Public Directories

# VULNERABLE - serves any file
@app.route('/download/<path:filename>')
def download(filename):
    return send_file(filename)  # Path traversal risk!

# SECURE - restrict to designated directory
from werkzeug.utils import secure_filename
import os

PUBLIC_DIR = '/var/www/public'

@app.route('/download/<path:filename>')
def download(filename):
    safe_name = secure_filename(filename)
    filepath = os.path.join(PUBLIC_DIR, safe_name)

    # Ensure resolved path is within PUBLIC_DIR
    if not os.path.realpath(filepath).startswith(os.path.realpath(PUBLIC_DIR)):
        abort(403)

    if not os.path.isfile(filepath):
        abort(404)

    return send_file(filepath)

Disable Directory Listings

# Apache - disable directory browsing
Options -Indexes

# Nginx
autoindex off;

Remove Backup and Temporary Files

Prevent serving of:

• Backup files: *.bak, *.old, *.~, *.swp, *.tmp
• Version control: .git/, .svn/, .hg/
• Configuration: .env, .config, web.config
• Editor files: .DS_Store, Thumbs.db

# Remove from webroot
find /var/www -name "*.bak" -delete
find /var/www -name ".git" -type d -exec rm -rf {} +

Filter API Responses

// VULNERABLE - exposes internal fields
app.get('/api/user/:id', async (req, res) => {
    const user = await User.findById(req.params.id);
    res.json(user);  // Includes password hash, internal IDs!
});

// SECURE - use DTO to filter fields
app.get('/api/user/:id', async (req, res) => {
    const user = await User.findById(req.params.id);
    const publicUser = {
        id: user.id,
        name: user.name,
        email: user.email
        // Excludes: passwordHash, internalId, createdIP, etc.
    };
    res.json(publicUser);
});

Configure Web Server Properly

# Nginx - deny access to hidden files and directories
location ~ /\. {
    deny all;
}

# Deny access to specific file types
location ~* \.(bak|config|sql|log)$ {
    deny all;
}

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

• Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code

Additional Resources

• CWE-402: Transmission of Private Resources
• OWASP Top 10 2025 A01: Broken Access Control