Directory Listing

medium Web Application Scanning Plugin ID 98084

Synopsis

Directory Listing

Description

Web servers permitting directory listing are typically used for sharing files.

Directory listing allows the client to view a simple list of all the files and folders hosted on the web server. The client is then able to traverse each directory and download the files.

Cyber-criminals will utilise the presence of directory listing to discover sensitive files, download protected content, or even just learn how the web application is strurctured.

Scanner discovered that the affected page permits directory listing.

Solution

Unless the web server is being utilised to share static and non-sensitive files, enabling directory listing is considered a poor security practice
This can typically be done with a simple configuration change on the server. The steps to disable the directory listing will differ depending on the type of server being used (IIS, Apache, etc.). If directory listing is required, and permitted, then steps should be taken to ensure that the risk of such a configuration is reduced.
These can include:
1. Requiring authentication to access affected pages. 2. Adding the affected path to the `robots.txt` file to prevent the directory contents being searchable via search engines. 3. Ensuring that sensitive files are not stored within the web or document root. 4. Removing any files that are not required for the application to function.

See Also

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing

Plugin Details

Severity: Medium

ID: 98084

Type: remote

Family: Web Servers

Published: 2/4/2019

Updated: 11/26/2021

Scan Template: api, scan, pci, overview

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information