Skip to content

CWE-530: Information Exposure Through Source Code

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected accessible backup files in the web root or public directories. Evidence includes successful HTTP GET requests to predictable backup file names (config.php.bak, web.config.old, .git/, database.sql.backup, .DS_Store) returning valid content. Responses show source code, configuration files, or database dumps accessible without authorization.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-530 typically indicate that source code or related files were directly accessible at runtime, such as:

  • Backup or temporary files containing source code
  • Configuration files exposed via the web root
  • Version control directories accessible over HTTP
  • Source maps revealing original source code

Evidence is based on successful access to files that should not be publicly available, not on request parameters or payloads.

Mapping DAST Findings to Source Code

CWE-530 does not map to a specific function or endpoint. The issue resides in how application artifacts are deployed and exposed.

When tracing this issue, review:

  • Which directories are served as static content
  • Build or deployment processes that copy source or backup files into public paths
  • Framework or server defaults that expose source maps or metadata
  • CI/CD artifacts unintentionally included in production deployments

Remediation

Core Principle: Never allow application source code, configuration, or build artifacts to be accessible through public interfaces; only explicitly intended runtime assets may be exposed by the server.

Verification and Follow-Up Testing

After applying the fix:

1. Verify Static File Exposure

  • Confirm source code, configuration, and backup files are not accessible over HTTP
  • Validate only intended runtime assets are served

2. Test Edge Cases

  • Alternative file extensions or backup naming conventions
  • Build artifacts and source maps
  • Version control metadata

Re-run DAST Scanner

Re-run the dynamic scanner to confirm no sensitive files are accessible.

Additional Resources