CWE-538: File and Directory Information Exposure

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that sensitive information was stored in publicly accessible files or directories. Evidence includes discovery of sensitive data in log files, configuration files, or data files accessible via HTTP requests (e.g., /logs/app.log, /config/database.yml, /data/users.csv). Responses contain credentials, PII, session tokens, or internal system details.

Analyzing the Dynamic Scan Result

Mapping DAST Findings to Source Code

CWE-538 does not map to a single vulnerable parameter or endpoint. The issue resides in how file system information is exposed through application responses or static file handling.

When tracing this issue, review:

• Static file serving configuration
• Directory indexing settings in web servers or frameworks
• Error handling that includes file system paths
• APIs that return file or directory metadata
• Deployment defaults that expose internal directories

Remediation

Core Principle: Never expose internal file system structure, directory listings, or file metadata through public interfaces; only explicitly intended resources may be visible at runtime.

Verification and Follow-Up Testing

After applying the fix:

1. Verify File and Directory Exposure

• Confirm directory listings are disabled
• Ensure file paths and metadata are not included in responses

2. Test Edge Cases

• Error handling paths
• Static file serving locations
• APIs returning file or directory information

Re-run DAST Scanner

Re-run the dynamic scanner to confirm file and directory information is no longer exposed.

Additional Resources

• CWE-538: File and Directory Information Exposure
• OWASP Testing for Sensitive Information in Files
• OWASP Top 10 2025
• OWASP Top 10 2025 A01: Broken Access Control