In my .NET web applications I usually have a Scripts folder that contains all of my JavaScript files – jQuery mostly these days, with the occasional JavaScript library of some sort or another.
I’m running vulnerability scans against one of my websites through a scanner called Nexpose, and it informed me that the Scripts folder is open to the world – meaning unauthenticated users can download the JavaScript files contained in the folder and that this is a critical vulnerability. According to Nexpose, the Scripts folder should be restricted to only allow authenticated users to access it. Which leads me to my first question.
How do I restrict the Scripts folder to only authenticated users? I tried placing a web.config file into the Scripts folder and denying access to all unauthenticated users that way, but it didn’t work. I was able to determine this myself but going to my website’s login page, but not logging in, and then typing https://mywebsite/scripts/menubar.js and sure enough it allowed me to download the menubar.js file.
Second question – Why is this considered a vulnerability? I’ve tried to reason my way through the possibilities here, but I’ve failed to come up with much at all. Is it a vulnerability simply because Joe the l33t h4x0r could figure out the various libraries that I’m using and then maybe use known exploits against them?
Update
Overwhelmingly the answer seems to be that in no way should a vulnerability exist just because a .js file can be opened and read on the client’s browser. The only vulnerability that might exist would be if the developer were using the .js file in an insecure fashion of some sort (which I’m not).
Logically, you wouldn’t want to actually disallow access to the actual files because then you couldn’t use them in your webpage. The webserver makes no distinction between a browser requesting a file as part of the process of rendering a webpage versus someone just manually downloading the file.
As a result, the answer to your first question is: you can’t and wouldn’t want to. If you don’t want users to access take it out of the web folder. If it’s required to render your site, then you want anyone to have access to it so your site can render properly.
As to why it’s considered a vulnerabiliy, who’s saying it is? I can go pull any JavaScript Facebook uses right now. Or, more to the point, I could go to Bank of America or Chase’s website and start looking through their JavaScript. If I had an account, I could even take a look at the JavaScript used once the user is logged in.
The only thing that you might need to worry about is the same thing you always need to worry about: exposing details that shouldn’t be exposed. I’m not sure why you would, but it obviously wouldn’t be a good idea to put your database password in a JavaScript file, for example. Other than things like that, there’s nothing to worry about.