Directory Listing
detect, understand, remediate
Directory listing reveals the contents of web server directories to anyone who requests them, potentially exposing backup files, configuration files, source code, and other sensitive data.
No credit card required. Free plan available forever.
What is directory listing?
Directory listing (also called directory browsing or directory indexing) is a web server feature that displays the contents of a directory when no default index file (such as index.html or index.php) is present. When enabled, anyone who navigates to the directory URL can see all files and subdirectories within it.
While directory listing is not an exploit in itself, it becomes a serious security issue when it exposes sensitive files such as configuration files, backup archives, source code, database dumps, or internal documentation. Attackers routinely scan for open directory listings as a reconnaissance step to identify attack vectors.
This vulnerability is especially common in development and staging environments that are accidentally exposed to the internet, or in production servers where default configurations have not been hardened after deployment.
How it works
Browse to a directory
An attacker navigates to a URL path that corresponds to a directory on the web server without specifying a file.
Server lists contents
The web server, with directory listing enabled and no index file present, returns an HTML page listing all files and subdirectories.
Sensitive files discovered
The attacker identifies configuration files, backups, source code archives, or other sensitive resources in the listing.
Data exfiltrated
The attacker downloads exposed files, gaining access to credentials, internal logic, or data that enables further attacks.
Common causes
Autoindex enabled in server config
Web servers like Apache and Nginx have directory listing modules (mod_autoindex, autoindex) that are enabled by default or in configuration templates.
Missing index files
Directories that lack a default index file (index.html, index.php) trigger the server to render a directory listing instead.
Default server configuration
Many web server installations ship with directory listing enabled. Administrators who do not review and harden the default config leave directories exposed.
Exposed development paths
Build artifacts, backup directories, and staging paths are deployed to production without access restrictions or proper cleanup.
How to detect it
Automated detection
- SecPortal's external scanner automatically crawls and identifies directories that return file listings instead of proper responses
- Path brute-forcing modules test common directory names and flag any that expose directory contents
- Configuration audit checks verify that server directives disable autoindex across all virtual hosts
Manual testing
- Navigate to known directory paths (e.g. /images/, /uploads/, /backup/) and check if a file listing is returned
- Remove the filename from known resource URLs to see if the parent directory is browsable
- Review server configuration files for autoindex or directory listing directives
How to fix it
Disable directory listing in server config
Set "Options -Indexes" in Apache or "autoindex off" in Nginx to prevent the server from listing directory contents.
Add index files to all directories
Place a default index file in every web-accessible directory to prevent the server from falling back to directory listing.
Restrict file permissions
Ensure that sensitive files and directories are not readable by the web server user. Apply least-privilege file system permissions.
Monitor for exposed sensitive files
Regularly scan your web application for exposed configuration files, backups, and archives that should not be publicly accessible.
Compliance impact
Related vulnerabilities
Find exposed directories and files
SecPortal checks for directory listing, exposed admin panels, backup files, and .git config leaks. Start free.
No credit card required. Free plan available forever.