Testing for Unrestricted Directory Listings

By Regina Kwon  |  Posted 2002-11-01 Print this article Print

Will your Web site pass our security tests?

Unrestricted Directory Listings

A default page is one that appears when no page is explicitly typed into a browser's address bar. For example, when you visit Yahoo!, you merely type in "www.yahoo.com." Although it isn't written in the address bar, "index.html" is the page you're seeing. Every directory in a Web site defaults--or tries to default--to a particular page.

Many Web sites have directories without a default page, however. A directory of images, for example, would be unlikely to contain such a page. If no default page exists, visitors may receive an "HTTP 404 File not found" error. Or they may receive a peek into the private contents of that directory.

This could pose a security risk for your site. Attackers can use such listings to gain access to data that was not intended to be available to unathenticated users. For example, files that you may have thought unavailable to Web site visitors because no links led to them could now potentially be readily accessed.

Step 1. Open the Web site in a browser.
Step 2. Find a page in a subdirectory.

Start clicking through your site until you've accessed a page within a subdirectory of your site. For example, the following URL:


indicates you have reached a page called page.html located within a subdirectory called somedirectory. (By contrast, the URL http://www.anysite.com/page.html is located within the site's top-level directory, not within a subdirectory.)

Step 3. Browse the directory.

Now that you've located a subdirectory page, place your cursor within the address bar URL and edit the URL to remove the page's filename. If you had been on a page called


then you would shorten the URL to


Step 4. Send request.

Click the "Go" button in the address bar, or press the Enter or Return key. This will send the request to the Web server.

Step 5. Analyze the results.

Examine the page that displays next. If it turns out that the directory does have its own index page, you'll want to continue to click through to find another directory to test, repeating Step 4. But if you see a listing of files under a heading such as "Index of" or "Directory of," then your site's private files can be viewed without authentication.

Step 6. Fix vulnerability.

You could create a default page for every directory in your Web site. Alternatively, you could easily enter your Web server's configuration options and disallow directory listings. This is typically done with a single word or line of code.

As Statistics Editor of Baseline magazine, Regina creates interactive tools, worksheets and project guides for technology managers. Before joining Ziff Davis, she worked as a technical program manager for a database company, where her projects included data management applications in XML, Java, Visual Basic and ASP. Her other experience includes running the new media department at Christie's Inc. and writing and editing for Internet World and PC Magazine. Regina received a B.A. from Yale.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.