# INSECURE JSP

Feature Value
Type Detection
Risk OWASP A6
Covered by Agent

The application has JSP files outside WEB-INF folder, which may cause their content to be leaked by an attacker.

Files in WEB-INF are not visible to users, therefore it is safer to put them inside. If, for example (albeit a rather contrived one), the application includes db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst - the database credentials) from the exception message.

## How to solve it

Place all JSP files inside WEB-INF folder.