CWE-548: Information Exposure Through Directory Listing
Overview
This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that web server directories are configured to display directory listings when no index file is present. Evidence includes HTTP responses to directory URLs showing HTML directory indexes with file/folder listings, allowing attackers to discover sensitive files, backup files, source code, or configuration files. Responses show web server-generated directory browsing pages.
Analyzing the Dynamic Scan Result
What the DAST Scanner Found
DAST findings for CWE-548 typically indicate that directory listings were enabled at runtime, such as:
- Web directories returning file and subdirectory listings
- Index pages exposing file names, sizes, or timestamps
- Access to directories that should not be publicly browsable
Evidence is based on observed directory contents returned by the server, not on request parameters or payloads.
Mapping DAST Findings to Source Code
CWE-548 does not map to a specific endpoint or parameter. The issue resides in how directories are configured to be served by the application or web server.
When tracing this issue, review:
- Web server or framework directory indexing settings
- Static file serving configuration
- Default index or auto-listing behavior
- Deployment artifacts placed in web-accessible paths
Remediation
Core Principle: Never allow directory contents or internal filesystem structure to be listed or enumerated through public interfaces; only explicitly intended resources may be directly accessible.
Verification and Follow-Up Testing
After applying the fix:
1. Verify Directory Exposure
- Confirm directory listings are disabled
- Ensure only intended files are accessible
2. Test Edge Cases
- Alternative directory paths
- Static file locations
- Error handling that may reveal directory contents
Re-run DAST Scanner
Re-run the dynamic scanner to confirm directory listings are no longer accessible.