Directory Listing
Directory Listing
Category: Broken Access Control
Severity: High
Description
Web servers can be configured to automatically list the contents of directories that do not have an index page present. This can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analyzing and attacking those resources. It particularly increases the exposure of sensitive files within the directory that are not intended to be accessible to users, such as temporary files and crash dumps.
Impact
Sensitive Data Exposure
Remediation
There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:
Configure your web server to prevent directory listings for all paths beneath the web root;
Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.
https://portswigger.net/kb/issues/00600100_directory-listing
Last updated