Weakness reference
CWE-548

Exposure of Information Through Directory Listing

Directory listing occurs when a web server automatically generates and displays the contents of a directory when no default file like index.html is present…

01Summary

Directory listing occurs when a web server automatically generates and displays the contents of a directory when no default file (like index.html) is present. This exposes filenames, folder structures, and sometimes file sizes to anyone who visits that URL — potentially revealing configuration files, backup copies, source code, or other sensitive assets that were never meant to be public.

02How It Happens

Most web servers (Apache, Nginx, IIS) have a feature that, when enabled, will serve a formatted HTML page listing all files and subdirectories in a folder if no index file exists. This is often enabled by default for convenience during development or testing. If a directory lacks a proper index file and the server's directory listing feature is not explicitly disabled, any visitor can request that directory URL and receive a complete inventory of its contents. This is especially dangerous in subdirectories created for temporary uploads, backups, or development artifacts that were never intended to be discoverable.

03Real-World Impact

An attacker can use directory listings to map out your site's structure, discover hidden or forgotten files (old backups, configuration files with credentials, source code), and identify potential attack surfaces. For example, a listing might reveal a /backups/ directory containing database dumps, a /config/ folder with API keys, or a /uploads/ area with user-submitted files. Even filenames alone can leak information about your technology stack, internal naming conventions, or the presence of administrative tools.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from http.server import HTTPServer, SimpleHTTPRequestHandler
import os

class Handler(SimpleHTTPRequestHandler):
    def do_GET(self):
        # SimpleHTTPRequestHandler automatically lists directories
        # if no index.html exists
        super().do_GET()

if __name__ == '__main__':
    server = HTTPServer(('0.0.0.0', 8000), Handler)
    server.serve_forever()

Why it's vulnerable:
SimpleHTTPRequestHandler enables directory listing by default. Any directory without an index.html will display its contents to anyone who requests it.

Fixed pattern
from http.server import HTTPServer, SimpleHTTPRequestHandler
import os

class Handler(SimpleHTTPRequestHandler):
    def do_GET(self):
        # Reject requests for directories; serve only files
        if self.path.endswith('/'):
            self.send_error(403, "Directory listing not allowed")
            return
        super().do_GET()

if __name__ == '__main__':
    server = HTTPServer(('0.0.0.0', 8000), Handler)
    server.serve_forever()
Vulnerable pattern
<?php
// Apache .htaccess or server config with directory listing enabled
// (or no .htaccess to disable it)

// Visiting /uploads/ with no index.php shows all files
// Directory listing is enabled by default in many configurations
?>

Why it's vulnerable:
Without an explicit index.php file or a directive to disable directory listing, Apache will generate and serve a formatted list of all files in the directory.

Fixed pattern
<?php
// .htaccess in the directory (or parent directories)
// Options -Indexes
// This disables directory listing for this directory and subdirectories
?>

05Prevention Checklist

Disable directory listing at the server level.
In Apache, add Options -Indexes to .htaccess or the main config. In Nginx, ensure no autoindex on; directive is present. In IIS, disable "Directory Browsing" in the feature settings.
Create index files in all public directories.
Place a default index.html, index.php, or equivalent in every directory that should be web-accessible, even if it's just a blank or error page.
Restrict access to sensitive directories.
Use .htaccess, firewall rules, or web server configuration to deny direct HTTP access to /backups/, /config/, /admin/, /tmp/, and similar folders.
Review your directory structure regularly.
Audit your web root for unexpected or forgotten subdirectories that might be exposed.
Test your site for directory listing.
Manually visit various directory paths (e.g., /uploads/, /assets/, /includes/) to confirm no listings are served.
Use a Web Application Firewall (WAF) rule
to block or log requests for directory listing responses as a secondary control.

06Signs You May Already Be Affected

Check your web server logs for requests to directory paths (URLs ending in / without a filename). If you see successful responses (HTTP 200) with HTML content that looks like a file listing, directory listing is enabled. You can also manually test by visiting a subdirectory URL in your browser and observing whether a formatted list of files appears instead of a 403 Forbidden or 404 Not Found error.

07Related Recent Vulnerabilities