Directory Browsing

Directory browsing occurs when a web server is configured to display the full contents of a directory that lacks a default index file. This allows anyone to view and navigate the file structure of the exposed directory, including scripts, configuration files, backup archives, and other resources not intended to be publicly accessible. An attacker can use this information to identify sensitive files and expand the attack surface of the application.

Exposing the contents of server directories gives attackers a complete inventory of available resources, significantly reducing the effort needed to discover exploitable files. Sensitive items such as database dumps, backup source code, configuration files with credentials, or administrative scripts can be directly downloaded and used to escalate privileges or compromise the system. Even when the listed files do not contain secrets themselves, the revealed naming conventions and directory structure help attackers map the application and plan more targeted attacks.

Disable directory listing on the web server for all paths beneath the web root. In Apache, this is achieved by removing the Indexes option in the relevant Directory directive or .htaccess file. In Nginx, ensure autoindex is set to off. In Microsoft IIS, disable directory browsing through the IIS Manager or the corresponding configuration section.

As a defense-in-depth measure, place a default index file (such as index.html) in every directory so the server returns that page instead of a file listing. Additionally, review the contents of all web-accessible directories and remove any files that are not required for the application to function, such as backup files, sample scripts, or configuration dumps.