This security test assesses whether a web application exposes directory listings. If a user visiting a folder path (like /assets/) sees a list of files instead of being redirected or served a default page.
Need to fix this?
- Disable directory browsing in your web server settings.
- For Apache: Remove or comment out Options Indexes in your .htaccess or server config.
- For Nginx: Set autoindex off; in your server block.
- For IIS: Disable directory browsing in IIS Manager under Directory Browsing settings.
- For other servers: Look for a similar setting to disable automatic file listings.
- Test by visiting folder paths (e.g., /assets/)—you should not see a file list.
What is the risk? Exposing a directory listing can:
- Reveal the structure of your application,
- Disclose unlinked or sensitive files (e.g., debug logs, old scripts),
- Provide attackers with additional attack surface and reconnaissance information.
How can I check for directory listing exposure in my web application?
- Manually test known folder paths in your application (e.g., /assets/, /uploads/, /admin/):
- If the browser shows a list of files and folders, the directory listing is enabled.
- Disable directory browsing in your web server settings (e.g., disable autoindex in Nginx or Options Indexes in Apache).
Does this impact my WAS Risk Vector Grade? No.
Possible Grades:
- Directory Listing Exposure findings are informational (Neutral). Weight is not applicable.
What will I see in the Portal?
Finding Message: Files were inadvertently or inappropriately included in the web root. These may reveal potentially sensitive information to an attacker.
Feedback
0 comments
Please sign in to leave a comment.