Source code disclosure attacks allow a malicious user to obtain the source code of a server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic.
Attackers use source code disclosure attacks to try to obtain the source code of server-side applications. The basic role of Web servers is to serve files as requested by clients. Files can be static, such as image and HTML files, or dynamic, such as ASP, JSP and PHP files. When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually code executed on the Web server.
Using a source code disclosure attack, an attacker can retrieve the source code of server-side scripts, such as ASP, PHP and JSP. Obtaining the source code of server-side scripts grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.
An attacker can cause source code disclosure using one of the following techniques:
- using known source disclosure vulnerabilities
- exploiting a vulnerability in the application which may allow source disclosure
- exploiting detailed errors which may sometime include source code
- using other types of known vulnerabilities which may be useful for source disclosure (such as Directory Traversal)
For example, consider a Web site running Microsoft Internet Information Server (IIS). By sending the following URL to the Web server:
The attacker may be able to retrieve the source code of the example. This would occur because of a vulnerability in the IIS server's handling of .asp files, which allows a remote attacker to obtain the source code of the .asp files. If IIS is installed on a FAT partition and an attacker sends a Unicode encoded request for an .asp file (
%61%73%70 is a unicode encoding of "asp"), the IIS server does not recognize it as an ASP file and therefore does not execute it, but rather passes the ASP source code to the Web browser.
Another way to retrieve an ASP source code is by using a default sample file that comes with the IIS server, called
ShowCode.asp. This file, intended for demonstration and debugging purposes, receives as a parameter an ASP file name and retrieves its source code. All the attacker has to do is specify the correct file name and directory path as a parameter in showcode.asp in the URL in the browser. For example, the URL below would let an attacker view the code contained within default.asp:
By using a series of "../", it is possible to read files from other directories on the server (see Directory Traversal)