- Method naming: The name of methods leak the implementation details and the underlying technology used. This could be used by hackers for planning attacks. For example, the method such as “doElasticSearch”. This represents that ElasticSearch is used for the search.
- File naming: The name of files represented the models and related structure/relationship. This may not be the best way of naming the files. This information could be used by hackers.
- Access permissions: All of the assets could be accessed from this webpage.
Security Vulnerabilities Fixes
The following could be used to fix the security vulnerabilities mentioned above:
- Avoid naming methods based on underlying technologies. For example, methods such as “doElasticSearch” provide the information that ElasticSearch may be used within for searching.
- Set appropriate access permissions to the different folders in assets. This is a key way of controlling the privacy of website’s assets.
- The name of the JS files should be named appropriately, preferably, in a cryptic manner such that internal models could not be comprehended using the file names.