Directory Listing Vulnerability - Cyber Sapiens Internship Task-16

What is Directory Listing Vulnerability?

Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It is dangerous to leave this function turned on for the web server because it leads to information disclosure.

Example of Directory Listing

A user makes a website request to www.vulnweb.com/admin/. The response from the server includes the directory content of the directory admin, as seen in the below screenshot.

What are some important files to look out for?

As discussed above, the directory listing itself does not pose much of a security threat unless and until you find some sensitive information.

Why is Enumeration Important?

There is essentially no way for a user to know which files are found in which directories on a web-server, unless the whole server has directory listing by default. So the attacker can enumerate them by brute forcing hidden files and directories, by sequentially visiting pages defined in a wordlist. The attack is of course very noisy and will show up fast in the logs.

How to Mitigate Directory Listing Vulnerability?

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:

References:

https://reboare.gitbooks.io/security/content/web-scanning.html

Profile Links:

Twitter: https://twitter.com/PrajitSindhkar?s=08

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar

I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community