Get a quote

Vulnerability Fixation
Directory Listing Enabled

Book a Free Consultation

Directory Listing Enabled On Mentioned Path

Found Directory listing Enabled for the following path/s. This can result into exposing sensitive information such as content or code, to the malicious user.

Vulnerability:

What is Directory listing?

Directory listing allows a client to see all the files under a folder served by the website. If an attacker can view these files (including source code), they can craft attacks to bypass security controls.

This could increase privileges for the attacker and may lead to web server compromise.

If server configuration is weak, an attacker may:

  • Inject malicious files into the directory
  • Modify code to gain admin access
  • Alter the content of the web server

Directory listing can also be abused along with OS and server-level vulnerabilities to execute advanced attacks.

Solution:

Disabling Directory Listing on Tomcat Server:

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

Disabling Directory Listing on Nginx Server:

server {
    listen 80;
    server_name domain.com www.domain.com;
    access_log /var/...........................;
    root /path/to/root;
    location / {
        index index.php index.html index.htm;
        # other directives
    }
    location /somedir {
        autoindex on;
    }
}

Disabling Directory Listing on IIS Server:

(Settings can be modified from IIS Manager → Directory Browsing → Disable)

Disabling Directory Listing on Apache Web Server:

<Directory /{YOUR DIRECTORY}>
    Options FollowSymLinks
</Directory>

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More