Directory Listing Vulnerability

3 min readFeb 16, 2022

Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my sixteenth task I was given to research about Directory Listing Vulnerability.

What is Directory Listing Vulnerability?

Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. It is dangerous to leave this function turned on for the web server because it leads to information disclosure.

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.

Directory listings themselves do not necessarily constitute a security vulnerability. Any sensitive resources within the web root should in any case be properly access-controlled, and should not be accessible by an unauthorised party who happens to know or guess the URL.

Example of Directory Listing

A user makes a website request to www.vulnweb.com/admin/. The response from the server includes the directory content of the directory admin, as seen in the below screenshot.

What are some important files to look out for?

As discussed above, the directory listing itself does not pose much of a security threat unless and until you find some sensitive information.

Look out for wp-config.php files in the listing as it contains sensitive information and credentials, .env files are also sensitive as they contain values of all environment variables and sensitive information available.

Apart from all this common files you can also just surf around the listing and find proper severity by thinking of ways an attacker can perform an exploit from the given information.

Why is Enumeration Important?

There is essentially no way for a user to know which files are found in which directories on a web-server, unless the whole server has directory listing by default. So the attacker can enumerate them by brute forcing hidden files and directories, by sequentially visiting pages defined in a wordlist. The attack is of course very noisy and will show up fast in the logs.

But enumeration lets us know what information is actually being disclosed and overall how much security problems it can cause. For eg, if you find a web directory listing vulnerability, you still can’t report it unless you get a proper impact and to find this impact you have to enumerate all the directories in it one by one.

How to Mitigate Directory Listing Vulnerability?

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:

● Configure your web server to prevent directory listings for all paths beneath the web root;

● Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.

For Apache Web Server:

You can disable directory listing by setting the Options directive in the Apache httpd.conf file by adding the following line:

<Directory /your/website/directory>Options -Indexes</Directory>

You can also add this directive in your .htaccess files but make sure to turn off directory listing for your entire site, not just for selected directories.

For nginx:

Directory indexing is disabled by default in nginx so you do not need to configure anything.

However, if it was turned on before, you can turn it off by opening the nginx.conf configuration file and changing autoindex on to autoindex off.