DAST issues : Hidden Directory Detected

We have security test tried to detect hidden directories on the server. The 403 Forbidden response reveals the existence of the directory, even though access is not allowed.

GET /.svn/ HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0

HTTP/1.1 403 Forbidden
Date: Mon, 17 Jun 2024 01:38:32 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive
X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15
Expires: Mon, 17 Jun 2024 01:38:47 GMT Server: cloudflare
CF-RAY: 894f521a08b40854-IAD

The response should be 404 – no page.

Grafana version 10.4.2
grafana 2.9.7

Both for Loki and grafana endpoint.

Are you sure that response is generated by Grafana/Loki? http://loki-sgi.platform.saas.ibm.com/.svn/

You can visit whatever on that subdomain http://whatever.platform.saas.ibm.com/.svn/ and response is the same.

That is a response from Cloudflare, not Grafana/Loki, so it is not a Grafana/Loki issue (if you think that’s security issue).