How to Disable Directory Listing on Your Web Server

Category: Web Security Readings - Last Updated: Fri, 02 Aug 2019 - by Netsparker Security Team

Misconfigured or default configuration on web servers may lead to a number of issues that might aid malicious hackers craft a hack attack. One common web server issue is directory listing. Many leave it enabled by mistake, thus creating an information disclosure issue (leakage of sensitive information) because they are allowing everyone to see all the files and directories on the website.

How to Disable Directory Listing on Your Web Server

This article explains what is directory listing and how to:

What is Directory Listing?

Directory listing is a feature that when enabled the web servers list the content of a directory when there is no index file (e.g. index.php or index.html) present. Therefore if a request is made to a directory on which directory listing is enabled, and there is no index file such as index.php or index.asp, even if there are files from a web application, the web server sends a directory listing as a response. When this happens there is an information leakage issue, and the attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.

When directory listing is enabled, the content of the directory can be seen via the browser.

As you can see from the picture above, the directory listing feature generates an output similar to the 'dir' or 'ls' command that is run on an operating system. Directory listing issues are the type of issues that a SSL certificate won't protect you from. However the good news is that these types of issues can be easily identified with an automated web vulnerability scanner.

What Information is Leaked & What are the Risks of Directory Listing?

Let’s assume that a backup copy of the file config.php, in which the credentials for a database connection are kept in, is in the secret folder, which has directory listing enabled.

If the attacker finds the secret folder by crawling or fuzzing, when he tries to access it directly, e.g. http://www.example.com/secret/ he can see and download the backup files, which contains the database connection details. Now the attacker has the connection details to the web application’s database, allowing him to possibly damage the database or the web application thanks to these credentials.

How to Disable Directory Listing?

As a security best practice it is recommended to disable directory listing. You can disable directory listing by creating an empty index file (index.php, index.html or any other extension your web server is configured to parse) in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added.

So you should implement a permanent and secure solution by disabling directory listing at web server level, as explained in this article.

Disabling Directory Listing For Some Web Servers

Disabling Directory Listing on Tomcat Server

In Tomcat 5.0 directory listing is disabled by default. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes. We can configure directory listing in two different dimensions: The first one will affect all our web projects and the second one will only affect a specified website.

Disabling Directory Listing in All Web Projects

To disable directory listing on the Tomcat web server, open the conf/web.xml file in the directory where Tomcat is installed. In our test on Windows 10, the default installation directory was “C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0”

<servlet>
     <servlet-name>default</servlet-name>
     <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
     <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
     </init-param>
     <init-param>
          <param-name>listings</param-name>
          <param-value>false</param-value>
     </init-param>
     <load-on-startup>1</load-on-startup>
</servlet>

Find the listing part of the <param-name> value in the <init-param> tag. As you can imagine, <param-value> is the determining factor for us in this section. If this field is true and you want to disable directory listing, change this field to false.

You can directly copy and modify the following code:

<servlet>
      <servlet-name>default</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
      <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
</servlet>

Disabling Directory Listing in a Web Project

In the first method, we conofigured a general setting that applies to all the web projects running on the server. In this method, we will configure it so that it only affects the website we changed. Open the web.xml file for the relevant web project and add the following code:

<servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping><servlet>
    <servlet-name>DefaultServletOverride</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>DefaultServletOverride</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

The default servlet was overridden with the above change. Now, the website we made this change on will run independently of the setting we configured in the first method.

Disabling Directory Listing on Nginx Server

The directory listing feature on Nginx is controlled by the ngx_http_index_module. Directory listing is disabled by default on the Nginx configuration file. However, it is possible to disable directory listing if it was enabled because of a regression or configuration changes.

The Nginx parameter, autoindex, is used together with the location segment to enable or disable the directory listing feature.

How Can We Disable It?

The default configuration file of a Nginx server is called nginx.conf and can be found in /usr/local/nginx/conf, /etc/nginx or /usr/local/etc/nginx. If the default value has been changed, you can see a setting similar to the following:

server {
        listen   80;
        server_name  domain.com www.domain.com;
        access_log  /var/...........................;
        root   /path/to/root;
        location / {
                index  index.php index.html index.htm;
        }
        location /somedir {
               autoindex on;
        }
}

In this section, the determinant parameter is autoindex on; as we mentioned above. In the above example, the directory listing is configured only for the somedir directory. If no directory is specified (e.g. location / {autoindex on;}), the rule will be applied to all the folders. To disable directory listing, we need to switch the value of the autoindex to off. Do not forget to run the below command in order for changes to go into effect:

service nginx restart

Disabling Directory Listing on LiteSpeed Server

Similar to all other web servers we've covered so far, on the LiteSpeed web server you can disable directory listing at both web server and website level. To disable directory listing at the server level, you can manually update the httpd_config.xml file. On the other hand, you can also do it by using LiteSpeed server control panel.

httpd_config.xml file:

The configuration XML file of the LiteSpeed web server.

As you can see from the code example in the screenshot above, if you want to disable directory listing at the server level, add the following line to the httpd_config.xml file:

<autoIndex>0</autoIndex>

vhconf.xml:

If you want to enable or disable the directory listing at website level you need to follow the /VIRTUAL_HOST_ADI/conf/vhconf.xml path and make the relevant definitions for the file you access.

Disabling Directory Listing on Lighttpd Server

Directory listing is disabled by default on a Lighttpd web server. However, it is possible to disable directory listing from the dirlisting.conf file if it was enabled because of a regression or configuration changes. The configuration file of the mod_dirlisting is /etc/lighttpd/conf.d/dirlisting.conf.

The configuration file of the Lighttpd web server.

To disable directory listing on the server, you must replace the related line with the following:

dir-listing.activate = “disable”

If you want to enable directory listing for a particular directory, you must make the following changes in the configuration file specifically for that directory:

$HTTP[“url”] =~ “^/download($|/)” {
dir-listing.activate = “enable”
}

Disabling Directory Listing on IIS Server

The directory listing on the IIS web server is disabled by default. However, it is possible to disable directory listing from the configuration interface of IIS web server if it was enabled because of a regression or configuration changes.

For IIS7 and Above

You can disable directory listing from the Directory Browsing settings in the IIS manager console.

You can disable Directory Listing on a Microsoft IIS web server from the Directory Browsing settings.

Or else you can execute the following command in the command line: appcmd set config /section:directoryBrowse /enabled:false

Disabling Directory Listing on Apache Web Server

In order to disable directory listing on an Apache web server you have to create a .htaccess file in the related application directory. You can add the following lines to the httpd.conf file or replace the existing lines with the following:

<Directory /{YOUR DIRECTORY}>
Options FollowSymLinks
</Directory>

As you can see from the example code above, you should remove the Indexes and MultiViews statements for the directory listing feature will be disabled safely on an Apache web server.

Vulnerability Classification and Severity Table

Classification ID / Severity
OWASP 2013 A5
CWE 548
CAPEC 127
WASC 16
OWASP-PC C6
CVSS:3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Netsparker Information
Netsparker

Keep up to date with web security news from Netsparker