Describe the bug

I ran ZAP and got a warning "Hidden file found https://app.metashare.com/BitKeeper". Indeed, there is no BitKeeper file in wwwroot, but a GET request to this URL will return our index.html. All server side routes resolve to index.html since we rely on client side routing for the app. I believe this is a common pattern in modern web apps.

Steps to reproduce the behavior

Run the automated scan with classic spider.

Expected behavior

Perhaps https://host/BitKeeper should not be considered as a hidden file, if the response body is equal to that of https://host/.

Software versions

2.14.0

Screenshots

Errors from the zap.log file

No response

Additional context

Also logged this issue with snallygaster

Would you like to help fix this issue?

• Yes

FYI ZAP is no longer an OWASP project.

Also you didn't run snallyghaster or do anything related to the classic spider. Those alerts are raised by the Hidden File Finder active scan rule which was originally inspired by and drew some patterns/targets from snallyghaster. (You should close your upstream issue, it isn't relevant to them.)

Thanks. I have closed the upstream issue and updated this bug description based on your feedback.

@gabbsmo can you clarify the behavior so that I ensure I fix it properly. Is there a redirect or does any unmatched request simply display the default site content?

@kingthorin unmatched requests show default contents. No redirects.

Thanks. I think I've got a plan to handle that.