How to Disable Directory Listing on Your Web Server

Misconfigured or default configuration on web servers may lead to a number of issues that might aid malicious hackers craft a hack attack. One common web server issue is directory listing. Many leave it enabled by mistake, thus creating an information disclosure issue because they are allowing everyone to see all the files and directories on the website.

This article explains what is directory listing and how to:

What is Directory Listing?

Directory listing is a feature that allows web servers to list the content of a directory when there is no index file present. Therefore if a request is made to a directory on which directory listing is enabled, and there no index file such as index.php or index.asp, the web server sends a directory listing as a response.

 When directory listing is enabled, the content of the directory can be seen via the browser.

As you can see from the picture above, the directory listing feature generates an output similar to the 'dir' or 'ls' command that is run on an operating system.

What Information is Leaked & What are the Risks of Directory Listing?

Let’s assume that a backup copy of the file config.php, in which the credentials for a database connection are kept in, is in the secret folder, which has directory listing enabled.

If the attacker finds the secret folder by crawling or fuzzing, when he tries to access it directly, e.g. http://www.example.com/secret/ he can see and download the backup files, which contains the database connection details. Now the attacker has the connection details to the web application’s database, allowing him to possibly damage the database or the web application thanks to these credentials.

How to Disable Directory Listing?

As a security best practise it is recommended to disable directory listing. You can disable directory listing by creating an empty index file in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added.

So you should implement a permanent and secure solution by disabling directory listing at web server level, as explained in this article.

Disabling Directory Listing For Some Web Servers

Disabling Directory Listing on Tomcat Server

In Tomcat 5.0 directory listing is disabled by default. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes. We can configure directory listing in two different dimensions: The first one will affect all our web projects and the second one will only affect a specified website.

Disabling Directory Listing in All Web Projects

To disable directory listing on the Tomcat web server, open the conf/web.xml file in the directory where Tomcat is installed. In our test on Windows 10, the default installation directory was “C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0”

<servlet>
     <servlet-name>default</servlet-name>
     <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
     <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
     </init-param>
     <init-param>
          <param-name>listings</param-name>
          <param-value>false</param-value>
     </init-param>
     <load-on-startup>1</load-on-startup>
</servlet>

Find the listing part of the <param-name> value in the <init-param> tag. As you can imagine, <param-value> is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.

You can directly copy and modify the following code:

<servlet>
      <servlet-name>default</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
      <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
</servlet>

Disabling Directory Listing in a Web Project

In the first method, we conofigured a general setting that applies to all the web projects running on the server. In this method, we will configure it so that it only affects the website we changed. Open the web.xml file for the relevant web project and add the following code:

<servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping><servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

The default servlet was overridden with the above change. Now, the website we made this change on will run independently of the setting we configured in the first method.

Disabling Directory Listing on Nginx Server

The directory listing feature on Nginx is controlled by the ngx_http_index_module. Directory listing is disabled by default on the Nginx configuration file. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes.

The Nginx parameter, autoindex, is used together with the location segment to enable or disable the directory listing feature.

How Can We Disable It?

The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        access_log  /var/...........................;
        root   /path/to/root;
        location / {
                index  index.php index.html index.htm;
        }
        location /somedir {
               autoindex on;
        }
}

In this section, the determinant parameter is autoindex on; as we mentioned above. In the above example, the directory listing is configured only for the somedir directory. If no directory is specified (e.g. location / {autoindex on;}), the rule will be applied to all the folders. To disable directory listing, we need to switch the value of the autoindex to off. Do not forget to run the below command in order for changes to go into effect:

service nginx restart

Disabling Directory Listing on LiteSpeed Server

Similar to all other web servers we've covered so far, on the LiteSpeed web server you can disable directory listing at both web server and website level. To disable directory listing at the server level, you can manually update the httpd_config.xml file. On the other hand, you can also do it by using LiteSpeed server control panel.

httpd_config.xml file:

 The configuration XML file of the LiteSpeed web server.

As you can see from the code example in the screenshot above, if you want to disable directory listing at the server level, add the following line to the httpd_config.xml file:

<autoIndex>0</autoIndex>

vhconf.xml:

If you want to enable or disable the directory listing at website level you need to follow the /VIRTUAL_HOST_ADI/conf/vhconf.xml path and make the relevant definitions for the file you access.

Disabling Directory Listing on Lighttpd Server

Directory listing is disabled by default on a Lighttpd web server. However, it is possible to disable directory listing from the dirlisting.conf file if it was enabled because of a regression or configuration changes. The configuration file of the mod_dirlisting is /etc/lighttpd/conf.d/dirlisting.conf.

The configuration file of the Lighttpd web server.


To disable directory listing on the server, you must replace the related line with the following:

dir-listing.activate = “disable”

If you want to enable directory listing for a particular directory, you must make the following changes in the configuration file specifically for that directory:

$HTTP[“url”] =~ “^/download($|/)” {
dir-listing.activate = “enable”
}

Disabling Directory Listing on IIS Server

The directory listing on the IIS web server is disabled by default. However, it is possible to disable directory listing from the configuration interface of IIS web server if it was enabled because of a regression or configuration changes.

For IIS7 and Above

You can disable directory listing from the Directory Browsing settings in the IIS manager console.

You can disable Directory Listing on a Microsoft IIS web server from the Directory Browsing settings.

Or else you can execute the following command in the command line: appcmd set config /section:directoryBrowse /enabled:false

Disabling Directory Listing on Apache Web Server

In order to disable directory listing on an Apache web server you have to create a .htaccess file in the related application directory. You can add the following lines to the httpd.conf file or replace the existing lines with the followings:

<Directory /{YOUR DIRECTORY}>
Options FollowSymLinks
</Directory>

As you can see from the example code above, you should remove the Indexes and MultiViews statements for the directory listing feature will be disabled safely on an Apache web server.


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN
; ;