Remediating Directory Listing Exposure Findings

This security test assesses whether a web application exposes directory listings. If a user visiting a folder path (like /assets/) sees a list of files instead of being redirected or served a default page.

Need to fix this?

• Disable directory browsing in your web server settings.
  • For Apache: Remove or comment out Options Indexes in your .htaccess or server config.
  • For Nginx: Set autoindex off; in your server block.
  • For IIS: Disable directory browsing in IIS Manager under Directory Browsing settings.
  • For other servers: Look for a similar setting to disable automatic file listings.
• Test by visiting folder paths (e.g., /assets/)—you should not see a file list.

What is the risk? Exposing a directory listing can:

• Reveal the structure of your application,
• Disclose unlinked or sensitive files (e.g., debug logs, old scripts),
• Provide attackers with additional attack surface and reconnaissance information.

How can I check for directory listing exposure in my web application?

• Manually test known folder paths in your application (e.g., /assets/, /uploads/, /admin/):
• If the browser shows a list of files and folders, the directory listing is enabled.
• Disable directory browsing in your web server settings (e.g., disable autoindex in Nginx or Options Indexes in Apache).

Does this impact my WAS Risk Vector Grade? No.

Possible Grades:

• Directory Listing Exposure findings are informational (Neutral). Weight is not applicable.

What will I see in the Portal?

Finding Message: Files were inadvertently or inappropriately included in the web root. These may reveal potentially sensitive information to an attacker.