Source Code Leakage

Medium Web Application Scanning Plugin ID 98779


Source Code Leakage


Scanner has detected server-side source code within the server's response.

A modern web application will be reliant on several different programming languages. These languages can be broken up in two flavours. These are client-side languages (such as those that run in the browser -- like JavaScript) and server-side languages (which are executed by the server -- like ASP, PHP, JSP, etc.) to form the dynamic pages (client-side code) that are then sent to the client.

Because all server side code should be executed by the server, it should never be seen by the client, however in some scenarios it is possible that the server has a misconfiguration or the server side code has syntax errors, and therefore is not executed by the server but is instead sent to the client. As the server-side source code often contains sensitive information, such as database connection strings or details into the application workflow, this can be extremely risky.

Cyber-criminals will attempt to discover pages that either accidentally or forcefully allow the server-side source code to be disclosed, to assist in discovering further vulnerabilities or sensitive information.


It is important that the server does not deliver server side code to the client, and the server misconfiguration or server code should be changed to prevent this.

Plugin Details

Severity: Medium

ID: 98779

Type: remote

Published: 2019/12/19

Updated: 2020/07/06

Scan Template: api, scan, pci

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information