Blog: Data leak via directory listing

Why is directory listing dangerous?

Directory listing of files stored on the web server poses great security risks. Information can be disclosed that is not intended for the public.

How can this happen in the first place?

When a user visits a website, for example www.codepurple.ch, the web server processes this request and sends back the index page as a result. The index page can be static or dynamically generated. However, if a user visits a URL where there is no index page in the folder and folder listing is not disabled, the web server will return a list of all folders and files in that folder as a result.

Many web developers today assume that if an attacker does not know the exact URL, he will not find the secret data. This principle is also called "security through obscurity". This principle is equivalent to "no security". Today there are enough tools that can scan tens of thousands of addresses in a very short time and find the "secret" folders.

Attackers also find the secret URLs with the help of various service providers on the Internet. For example, historical URLs can be found via the Google cache or the Wayback Machine.

Directory listings are often not found on the main domain. We usually find them in subfolders or on subdomains such as data.<comany>.com.

An example of directory listing

As an example www.codepurple.ch/admin

A visitor calls the following page www.codepurple.ch/admin on his browser. As seen in the following screenshot, the response shows that it has a folder named Backup in the admin folder.

Directory listing of the admin folder

Clicking on Backup the following content is loaded.

Directory listing of the backup folder

On this image we see a PHP file, a logfile of the FTP server, a backup of the SQL database and old passwords stored in a txt file. This is information that an attacker is very happy to find and can use well in the course of an attack on the company.

Directory Listing even if Directory Listing is disabled?

Even if the server has been configured correctly, it may be possible to access data on the web server using an exploit. As an example, there was an Apache Tomcat web server version that did not behave correctly with zero bytes (%00) and the backslash (\) and thus unintentionally revealed folder contents.

How to disable Directory Listing

To make the folders non-public, you need to change the configuration of the web server. Here are the necessary adjustments for the two most popular web servers Apache and nginx.

Apache Web Server

The following must be added to the httpd.conf file:

<directory /your/website/directory>Options -Indexes</directory>

Additionally it is important to adjust the .htaccess file to disable listing here as well. It is important to disable listing for all folders not only for specific ones. After that the server process must be restarted.

nginx

By default, nginx disables folder listing. If it was enabled in the past, you have to modify the nginx.conf file and change "autoindex on" to "autoindex off". After that the server process must be restarted.

How do I find out, if my server exposes the directory listing?

You can have a look at your server configuration or use a tool like this to scan the main domain and subdomain for directory listings.

register now