SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-219 Sensitive Data Under Web Root

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged sensitive files being stored in a location that can be served by the web server (under the web root). If the path is guessable or indexed, the data can be downloaded without authentication.

Why it matters

Web-exposed files can be accessed without authentication.

Safer examples

1) Store secrets and uploads outside web root

Keep sensitive storage in non-public directories and serve through authenticated handlers when needed.

2) Use separate buckets/paths for public assets vs private data

Static assets can be public; uploads/backups/exports should not share that namespace.

3) Add server-side deny rules (defense-in-depth)

Configure your web server to deny access to sensitive patterns (.env, backups, logs) even if mislocated.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.