Testing for Unrestricted Directory ListingsBy Regina Kwon | Posted 2002-11-01 Email Print
Will your Web site pass our security tests?
A default page is one that appears when no page is explicitly typed into a browser's address bar. For example, when you visit Yahoo!, you merely type in "www.yahoo.com." Although it isn't written in the address bar, "index.html" is the page you're seeing. Every directory in a Web site defaults--or tries to default--to a particular page.
Many Web sites have directories without a default page, however. A directory of images, for example, would be unlikely to contain such a page. If no default page exists, visitors may receive an "HTTP 404 File not found" error. Or they may receive a peek into the private contents of that directory.
This could pose a security risk for your site. Attackers can use such listings to gain access to data that was not intended to be available to unathenticated users. For example, files that you may have thought unavailable to Web site visitors because no links led to them could now potentially be readily accessed.
Start clicking through your site until you've accessed a page within a subdirectory of your site. For example, the following URL:
indicates you have reached a page called page.html located within a subdirectory called somedirectory. (By contrast, the URL http://www.anysite.com/page.html is located within the site's top-level directory, not within a subdirectory.)
Now that you've located a subdirectory page, place your cursor within the address bar URL and edit the URL to remove the page's filename. If you had been on a page called
then you would shorten the URL to
Click the "Go" button in the address bar, or press the Enter or Return key. This will send the request to the Web server.
Examine the page that displays next. If it turns out that the directory does have its own index page, you'll want to continue to click through to find another directory to test, repeating Step 4. But if you see a listing of files under a heading such as "Index of" or "Directory of," then your site's private files can be viewed without authentication.
You could create a default page for every directory in your Web site. Alternatively, you could easily enter your Web server's configuration options and disallow directory listings. This is typically done with a single word or line of code.