I was directory bruteforcing example.com and found example.com/Scripts to be forbidden (403). However, on further fuzzing, I could access a bunch of js files in this folder --> example.com/Scripts/main.js, example.com/Scripts/xyz.cookie.js, example.com/Scripts/respond.js and other jquery files. Now honestly, I dont understand JS and I am not sure if it may be sensitive or not. Is this an issue worth reporting, since the main Scripts folder was forbidden and I was not supposed to access the JS files in the first place?
See if these files have any sensitive info like api keys, hidden endpoints. If these files dont have any sensitive info then they dont worth reporting.
Yes R29k, this makes sense, I was thinking on these lines, but was also tempted to maybe report it because the directory was forbidden. I don’t think I should be reporting something just because it sits behind a 403 directory. Will check if there is sensitive info. Thanks for replying.
This might just mean that they explicitly allow access to those JS files for none authenticated users.
Which is actually not a bad practice since if they add a new file to that folder, access will be blocked until explicitly allowed.