Skip to main content

Directory listing

Description

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.

Remediation

  • Configure your web server to prevent directory listings for all paths beneath the web root.
  • Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.

REST Specific

Asp_net

To prevent directory listing in ASP.NET, configure the web server to disable directory browsing. In IIS, this can be done by opening the IIS Manager, navigating to the 'Directory Browsing' feature, and setting it to 'Disabled'. Additionally, ensure that default documents are properly configured so that a default web page is served instead of a directory listing. In the web.config file, set the 'system.webServer/directoryBrowse' element's 'enabled' attribute to 'false' to block directory listing at the application level.

Ruby_on_rails

In Ruby on Rails, disable directory listings by ensuring the config.serve_static_files option is set to false in your application's configuration file. Additionally, configure your web server (e.g., Apache or Nginx) to deny directory browsing. For Apache, use 'Options -Indexes' in your .htaccess file or Apache configuration. For Nginx, ensure 'autoindex off;' is included in the server block configuration.

Next_js

In Next.js, disable directory listing by ensuring that the 'server' configuration does not serve static files from a public directory without explicit routes. Use a custom server or middleware to control access to files, and set proper file permissions to prevent unauthorized directory traversal and exposure of sensitive files.

Laravel

In Laravel, disable directory listing by ensuring the 'Options -Indexes' directive is included in your .htaccess file, or configure your web server settings appropriately. Additionally, set the 'public' directory as the web root and avoid placing sensitive files within it. Use middleware to restrict access to authorized users and apply proper access controls to your routes.

Express_js

In Express.js, disable directory listing by not using express.static() middleware for serving static files, or configure it to disable directory indexing. Additionally, ensure that web server configurations like Apache's .htaccess or Nginx's server block do not have directory listing enabled. Use middleware like helmet to set security-related HTTP headers and prevent common vulnerabilities.

Django

In Django, ensure that the 'DEBUG' setting is set to False in your production settings file to prevent the display of a directory listing. Additionally, configure your web server to disallow directory indexing. For Apache, this can be done by removing 'Indexes' from the 'Options' directive in the .htaccess file or the main configuration file. For Nginx, ensure that 'autoindex' is set to 'off;' in the server block configuration.

Symfony

In Symfony, disable directory listing by configuring your web server appropriately. For Apache, use '.htaccess' or the config file to set 'Options -Indexes'. For Nginx, ensure 'autoindex' is set to 'off'. Additionally, review your 'public/' directory to ensure it only contains index.php and assets.

Spring_boot

In Spring Boot, disable directory listing by configuring your application.properties or application.yml to not allow static content listing, and ensure that your controllers do not expose directory paths. Use Spring Security to restrict access and define proper permissions for different resources.

Flask

In Flask, ensure that the 'AUTOINDEX' option is set to False in your application configuration or web server settings to prevent automatic directory listings. Additionally, configure your web server to deny directory browsing requests and serve a custom 403 Forbidden error page instead.

Nuxt

In Nuxt.js, to prevent directory listing, ensure that the static file serving configuration does not allow directory indexing. Set 'serveStatic' options to disable directory listing in your server configuration or use a middleware to restrict access to sensitive directories. Additionally, review and configure your web server settings (like Nginx or Apache) to disable directory browsing.

Fastapi

In FastAPI, to prevent directory listing, ensure that static file serving is configured correctly. Use the 'StaticFiles' class from 'fastapi.staticfiles' to serve static files and explicitly define which directories should be accessible. Avoid serving the entire root directory. Additionally, set 'use_directory_listing' to 'False' to disable directory listing for the specified static directories.

Configuration

Identifier: configuration/directory_listing

Examples

Ignore this check

checks:
  configuration/directory_listing:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API1:2023
  • pci: 2.2.5
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-4

Classification

Score

  • CVSS_VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVSS_SCORE: 5.3