Directory indexing vulnerabilities occur when a web application server is configured to return a listing of files in a web accessible directory in response to an HTTP request for that directory. Directory indexing is typically enabled by default in most major web server software. An attacker can abuse directory indexing to download sensitive or otherwise valuable data from the server, bypassing application access controls. An attacker can also abuse directory indexing to gain insight into the structure of the web application, but this is usually less useful than being able to download the data that is stored by the web application.
All web applications are affected by directory indexing, however this vulnerability class affects web server software, not specific web applications.
Preventing directory indexing vulnerabilities is typically the responsibility of the users/administrators/customers rather than the developers.
The impact of directory indexing is that an attacker is able to download files that are stored in the exposed directories, bypassing access controls implemented by the application. The typical attack scenario is that the attacker will retrieve the listings of all the exposed directories, determine which files might be valuable and then download them. For example, if a site sells access to exclusive content, like music or movies, but the files are exposed by directory indexing, an attacker will be able to download those files without paying.
In some cases, the attacker might be able to download stored authentication credentials, for example, if a database backup file is exposed by directory indexing. Once an attacker downloads the authentication store of the application, they will mount a hash cracking attack if necessary, and then use the compromised credentials to gain additional access to the application. The attacker will typically attempt to gain administrative access to the application and then use this access to inject malicious code into the application code or data. If malicious code can be successfully injected, the attacker will be able to execute arbitrary code with the privileges of the web application.
To prevent directory indexing vulnerabilities, disable directory indexing on the server.
To verify that directory indexing vulnerabilities are prevented, verify that directory indexing is disabled on the servers.