CWE-548: Information Exposure Through Directory Listing
Overview
Information exposure through directory listing occurs when web servers or applications allow users to browse directory contents without an index file, revealing file names, directory structure, and potentially sensitive files. This vulnerability commonly results from misconfigured web servers (missing index.html, disabled auto-index protection), frameworks exposing static file directories, or intentional directory browsing features without proper access controls. Attackers use directory listings to discover backup files, configuration files, source code, internal documentation, and other resources not intended for public access.
OWASP Classification
A01:2025 - Broken Access Control
Risk
Medium: Directory listings reveal application structure, enable discovery of backup/temporary files (.bak, .old, ~), expose configuration files, disclose internal file naming conventions, and may reveal source code or documentation. While not directly exploitable, this information significantly aids further attacks.
Remediation Steps
Core principle: Disable directory browsing on all web servers and application frameworks; require explicit index files for all publicly accessible directories.
Disable Directory Listing in Web Server
Apache:
# In .htaccess or httpd.conf
Options -Indexes
# Alternative: globally disable
<Directory />
Options -Indexes
</Directory>
Nginx:
# In nginx.conf or site config
autoindex off;
# Ensure in all location blocks
location / {
autoindex off;
}
IIS:
<!-- In web.config -->
<configuration>
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>
Ensure Index Files Exist
Create index files in all directories:
# Create placeholder index.html for empty directories
find /var/www/html -type d -exec touch {}/index.html \;
<!-- Minimal index.html -->
<!DOCTYPE html>
<html>
<head><title>403 Forbidden</title></head>
<body><h1>Access Denied</h1></body>
</html>
Configure Application Frameworks
Express.js:
// VULNERABLE - directory listing enabled
const serveIndex = require('serve-index');
app.use('/files', serveIndex('public/files'));
// SECURE - serve files without directory listing
app.use('/files', express.static('public/files')); // No directory listing
Django:
# settings.py - don't serve static files in production
DEBUG = False # Disables automatic static file serving
# Use web server (nginx/Apache) to serve static files
# Never use django.views.static.serve in production
Flask:
# VULNERABLE - manual directory listing
@app.route('/files/')
def list_files():
files = os.listdir('/var/www/files')
return render_template('files.html', files=files)
# SECURE - remove directory listing endpoint entirely
# Or add authentication and authorization
@app.route('/files/')
@login_required
def list_files():
if not current_user.is_admin:
abort(403)
files = get_user_files(current_user)
return render_template('files.html', files=files)
Remove Sensitive Files from Webroot
Don't store these in publicly accessible directories:
- Backup files:
*.bak,*.old,*~ - Configuration:
.env,config.php,web.config - Source code:
.git/,.svn/,*.py,*.rb - Documentation:
README.md,INSTALL.txt - Database files:
*.db,*.sqlite
Test for Directory Listing
# Test common directories
curl http://example.com/uploads/
curl http://example.com/images/
curl http://example.com/css/
curl http://example.com/js/
# Should return 403 Forbidden or redirect, not file listing
Monitor and Alert
Set up monitoring for: - HTTP 200 responses to directory paths (should be 403) - Automated scanning of directory structures - Access patterns suggesting enumeration
Dynamic Scan Guidance
For guidance on remediating this CWE when detected by dynamic (DAST) scanners:
- Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code