Directory Listing

  • CAPEC 127
  • WASC 16
  • OWASP 2013-A5

Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm/default.asp/default.aspx/index.php) is not present. When a user requests the main page of a web site, they normally type in a URL such as: - using the domain name and excluding a specific file. The web server processes this request and searches the document root directory for the default file name and sends this page to the client. If this page is not present, the web server will dynamically issue a directory listing and send the output to the client. Essentially, this is equivalent to issuing an ls (Unix) or dir (Windows) command within this directory and showing the results in HTML form. From an attack and countermeasure perspective, it is important to realize that unintended directory listings may be possible due to software vulnerabilities combined with a specific web request.

The following information could be obtained based on directory indexing data:

  • Backup files - with extensions such as .bak, .old or .orig
  • Temporary files - these are files that are normally purged from the server but for some reason are still available
  • Hidden files - with filenames that start with a "." period.
  • Naming conventions - an attacker may identify the composition scheme used by the web site to name directories or files. Example: Admin vs. admin, backup vs. back-up, etc...
  • Enumerate User Accounts - personal user accounts on a web server often have home directories named after their user account.
  • Configuration file contents - these files may contain access control data and have extentions such as .conf, .cfg or .config

Disable directory listings in the web server configuration by default.

Go Back to List

Search Vulnerability

You may also see