03 Mar, 2023

Information Disclosure Through Directory Listing

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

What is Directory listing? 

Directory listing refers to the process of a web server displaying the contents of a directory when a user navigates to a directory on a website. When a directory listing is enabled, anyone who has access to the web server can see a list of the files and directories within the website directory. This can reveal sensitive information, such as file names, folder names, and directory structures that can be used by attackers to launch further attacks on the website or its users.

In the context of cybersecurity, directory listing can be a vulnerability that can be exploited by attackers to obtain sensitive information. For example, if a website administrator accidentally leaves a sensitive file in a directory that is publicly accessible, an attacker who can view the directory listing could easily find the file and access its contents. To prevent this type of vulnerability, it is important to disable directory listing on web servers and to implement proper access controls and permissions to restrict access to sensitive files and directories.

The directory listing of a website can be seen by navigating to a directory on the website and if the directory listing is enabled, the web server will display a list of the files and directories within that directory.

For example, if you want to see the directory listing of the root directory of a website, you would type the URL of the website in your web browser followed by a forward slash (“/”). For example, if the website is “www.example.com“, you would type “www.example.com/” in the web browser address bar and press enter.

If directory listing is enabled, the web server will display a list of the files and directories within the root directory. If directory listing is not enabled, the web server will display an error message or a blank page.

What information can be disclosed through Directory Listing? 

Information Disclosure through Directory Listing refers to a security vulnerability that occurs when a web server allows users to browse directories on a website, revealing sensitive information about the website’s file structure, content, and configuration. This can happen when the web server is not configured properly, allowing unauthorized access to sensitive files that should be protected. Attackers can use this vulnerability to obtain valuable information, such as usernames, passwords, and other sensitive data. To prevent this vulnerability, it is important to ensure that the web server is configured properly and that directory listing is disabled.

When a web server is not properly configured, it may allow directory listing, which means that anyone who has access to the web server can browse the files and directories on the website. This can reveal sensitive information that should not be accessible to the public, such as: Usernames and passwords, Database configuration files such as API keys, database credentials, and encryption keys, Source code, Internal network information, other sensitive data.

Directory Listing can reveal backup files that may contain sensitive information, such as previous versions of the website or database backups. Directory Listing can reveal log files that may contain sensitive information, such as user activity on the website, IP addresses, and login attempts. It also can reveal information about the web server and application versions, which can be used to identify vulnerabilities and launch attacks specific to those versions.

Hackers can take advantage of this vulnerability to obtain this information, which can be used to launch further attacks on the website, its users, or its infrastructure.

What directories are sensitive for attackers?

In the context of information disclosure through directory listing vulnerability, attackers can potentially gain access to sensitive information if certain directories are not properly protected.

The directories that are sensitive and should be hidden include:

  1. Configuration directories: These directories may contain sensitive information such as passwords, API keys, and other configuration files that are critical to the functioning of the system.

  2. Upload directories: Attackers can potentially upload malicious files to these directories, which can then be executed on the server.

  3. Log directories: Log files may contain sensitive information such as user credentials or other data that can be used for reconnaissance.

  4. Backup directories: Backup files may contain sensitive information and can be used to restore the system, but they can also be used by attackers to gain access to information that was previously stored on the system.

  5. System directories: System directories such as /etc or /var contain important system files and configuration files that can be used by attackers to gain unauthorized access.

What direcoties can be safely exposed to the user?

In the context of information disclosure through directory listing vulnerability, it is generally best to avoid exposing any directories to the user that may contain sensitive information. However, some directories may not be considered vulnerable and can be safely exposed to the user:

Public directories: These directories may contain files that are intended to be accessible to the public, such as images, CSS files, and JavaScript files.

User directories: Directories that are specific to each user and contain their personal data, such as their profile picture, documents, and other non-sensitive files.

Application directories: Directories that are used by the application itself to store and manage files, such as temporary files, cache files, and session files.

Static directories: Directories that contain static content, such as HTML files or other non-dynamic content, may not pose a significant risk if they are exposed to the user.

It is important to note that even if a directory is not considered vulnerable, it is still important to ensure that proper access controls are in place to prevent unauthorized access or modification of files within the directory. Additionally, it is always a good practice to regularly audit directory permissions and configurations to ensure that all directories are properly secured.

Tools for automatically find Directory Listing 

It’s important to note that these tools should only be used on websites that you have permission to scan. Unauthorized scanning of websites can be illegal and may result in legal consequences.

DirBuster is an open-source tool that can be used to discover hidden directories and files on web servers. It comes with a directory list that includes common directory names and can be customized to include additional directories. It also has an option to scan for directory listing vulnerabilities.

Nikto is a popular web server scanner that can scan web servers for vulnerabilities, including directory listing vulnerabilities. It has a built-in option to scan for directory listing vulnerabilities and can be customized to include specific directories.

Gobuster is a command-line tool that can be used to discover hidden directories and files on web servers. It has a directory busting mode that can be used to scan for directory listing vulnerabilities.

Wfuzz is a web application security scanner that can be used to find vulnerabilities in web applications. It has a directory traversal mode that can be used to scan for Directory Listing vulnerabilities.

OWASP ZAP is a popular web application security tool that can be used to scan web applications for vulnerabilities. It has a built-in option to scan for Directory Listing vulnerabilities.

Arachni is an open-source web application security scanner that can be used to scan for vulnerabilities in web applications. It has a directory traversal plugin that can be used to scan for Directory Listing vulnerabilities.

Dirsearch: A simple command-line tool for brute-forcing directories and files in web servers.

Dirb: Another command-line tool for directory and file brute-forcing in web servers.

FFUF: A fast web fuzzer that can be used to discover hidden files and directories in web servers.

Nmap: A powerful network scanner that can be used to discover open ports and services on a target system.

Burp Suite: A popular web application scanner and testing tool that can be used to identify vulnerabilities in web applications.

Acunetix: A web application scanner that can identify vulnerabilities in web applications and APIs.

What developers should consider to prevent Information Disclosure Through Directory Listing vulnerability?

As mentioned earlier, the first step is to disable directory listing on your web server. This will prevent anyone from accessing files and directories by browsing the website directory. It is important to review the website directory to ensure that there are no sensitive files or directories that could be accessed through directory listing. This can include configuration files, database files, and other sensitive data.

Implementing access controls can help to restrict access to sensitive files and directories on the web server. This can include setting permissions on files and directories, using authentication and authorization mechanisms, and using firewalls to restrict access to the web server. Developers should set appropriate file permissions on sensitive files and directories to prevent unauthorized access. This can include setting read, write, and execute permissions as appropriate for each file and directory.

Keeping software up-to-date with the latest security patches and updates can help to prevent vulnerabilities that could be exploited by attackers. Regularly assessing your web server for vulnerabilities can help to identify any weaknesses that could be exploited by attackers. This can include conducting penetration testing and vulnerability scanning to identify potential vulnerabilities and address them before they can be exploited.

Methodology for testing Directory listing vulnerability

Reconnaissance: Identify the target website and its web server technology. This can be done using tools like Nmap, Wappalyzer, or similar tools.

Enumeration: Identify directories and files that are accessible on the target website. This can be done using tools like DirBuster, Gobuster, or other similar directory enumeration tools. Look for directories that return a 403 (Forbidden) error or directories that don’t return an error but show an empty page.

Analysis: Analyze the directory and file structure of the website to identify potential targets. Look for files or directories that may contain sensitive information, such as configuration files, backup files, log files, or user data.

Exploitation: Attempt to access the identified directories and files. If directory listing is enabled, the server will display a list of files and directories that can be accessed. If directory listing is not enabled, try to access the directories and files directly by guessing the URL or using common directory names.

Escalation: Once sensitive information has been identified, try to escalate the attack by exploiting the vulnerabilities or weaknesses that were identified. This could involve attempting to gain access to sensitive data, escalating privileges, or launching further attacks on the website, its users, or its infrastructure.

Reporting: Document the findings and report them to the appropriate parties, such as the website owner or security team. Provide detailed information about the vulnerability and steps that can be taken to remediate the issue.

CWE references for Information Disclosure Through Directory Listing

The CWE (Common Weakness Enumeration) reference for Information Disclosure Through Directory Listing vulnerability is CWE-548.

CWE-548 describes the weakness that can arise when a web server allows users to browse directories on a website, revealing sensitive information about the website’s file structure, content, and configuration. This can happen when the web server is not configured properly, allowing unauthorized access to sensitive files that should be protected.

CWE-548 can also be related to other weaknesses, such as CWE-534 (Information Exposure Through Debug Information) or CWE-546 (Suspicious Comments), as these vulnerabilities can also reveal sensitive information about the website’s configuration or implementation.

It’s important to note that CWE is a community-developed list of software and hardware weaknesses, and it is regularly updated to reflect the latest security issues and vulnerabilities.

CVE references for Information Disclosure Through Directory Listing

CVE-2002-0082: Apache HTTP Server 2.0.28 and earlier allows remote attackers to obtain sensitive information via a direct request for a directory, which displays the directory’s contents as if the “IndexOptions NameWidth=0” directive was permanently enabled.

CVE-2006-3745: Directory traversal vulnerability in Apache HTTP Server 2.2.0 through 2.2.4, when used with certain proxy modules, allows remote attackers to read arbitrary files via a .. (dot dot) sequence with the (1) mod_cache or (2) mod_disk_cache modules.

CVE-2017-1000499: Jenkins before 2.58 and LTS before 2.32.1 allow attackers to obtain sensitive information via a crafted URL that triggers a directory listing.

CVE-2018-8781: The Image::ExifTool library before 10.80 allows attackers to obtain sensitive information via a crafted TIFF image that triggers a directory listing.

CVE-2018-5278: In Apache HTTP Server 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not off), a remote user may influence their content by using a “Session” header. This comes from the “HTTP_SESSION” variable name used by mod_session to forward its data to CGIs, since the prefix “HTTP_” is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

CVE-2019-12732: In Solidity prior to 0.4.24, the function generateBytecodeHash in solidity/codegen/CompilerUtils.sol does not correctly calculate the Keccak-256 hash of the bytecode. An attacker can use this vulnerability to get the same hash value for different bytecode.

CVE-2020-9488: In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, when using the HTTP PUT method to upload a file to a Tomcat instance, bypass of file extension blacklist filtering can occur because of bypasses to the comment and quote process. This could be used to upload a JSP file to the server and achieve code execution.

CVE-2020-17530: In Jupyter Notebook before version 6.1.5, 5.7.10, 5.6.10, 5.5.0 to 5.5.5, 5.4.0 to 5.4.5, and 5.3.0 to 5.3.5, directory traversal in the “Download as” feature of the notebook web application allows an attacker to retrieve files with an arbitrary extension from a notebook server’s file system.

The real world examples 

In 2020, a security researcher discovered that a large Australian insurance company had left thousands of sensitive customer documents exposed through directory listing on its website. The documents contained names, addresses, birth dates, and other personal information.

Also in 2020, a US-based sports retailer was found to have exposed the personal information of its employees, including Social Security numbers and other sensitive data, through directory listing on its website.

In 2019, a UK-based software company was found to have left sensitive customer data exposed through directory listing on its website. The data included names, addresses, and payment information.

In 2018, a US-based healthcare company was found to have left patient data exposed through directory listing on its website. The data included names, addresses, medical history, and other sensitive information.

In 2017, a Canadian bank was found to have left the personal and financial information of thousands of customers exposed through directory listing on its website. The data included names, account numbers, and transaction details.

In 2016, a US-based university was found to have left sensitive student data exposed through directory listing on its website. The data included Social Security numbers, dates of birth, and other personal information.

In 2015, a US-based retail chain was found to have left the personal information of thousands of employees exposed through directory listing on its website. The data included Social Security numbers, dates of birth, and other sensitive information.

In 2014, a UK-based telecoms company was found to have left sensitive customer data exposed through directory listing on its website. The data included names, addresses, and account numbers.

In 2013, a US-based medical research center was found to have left sensitive patient data exposed through directory listing on its website. The data included names, addresses, medical history, and other sensitive information.

Checklist 

When conducting a web application penetration test, it is important to check for information disclosure through directory listing. Below is a checklist of steps you can follow to identify and mitigate directory listing vulnerabilities:

Identify the web server and operating system in use.

Use a web browser or command-line tool to browse the target site and see if any directories are listed.

Use a web crawler or a tool like dirb or DirBuster to automatically enumerate directories on the target site.

Use a tool like Nikto or OWASP ZAP to scan the target site for information disclosure vulnerabilities.

Check for common files and directories that may be sensitive, such as “/etc/passwd” or “/admin”.

Try to access files and directories that should not be publicly accessible, such as backup files or configuration files.

Check if any files contain sensitive information, such as passwords or API keys.

If sensitive information is found, report it to the site owner and provide recommendations for mitigating the vulnerability.

Finally, ensure that directory listing is disabled on the web server configuration.

Practicing in test for Information Disclosure Through Directory Listing

To practice testing for information disclosure through directory listing, you can start by identifying a vulnerable website or resource. Here are some materials, sites, and resources that you can use for practice:

  1. Vulnerable web applications: There are several vulnerable web applications available online that you can use for testing, such as DVWA (Damn Vulnerable Web Application), Mutillidae, and WebGoat. These applications are intentionally designed to contain security vulnerabilities that you can test for.

  2. Web directories: You can also search for web directories that are known to have directory listing enabled. For example, you can try accessing the following directories on a vulnerable website: /admin/, /backup/, /logs/, and /config/.

  3. Online tools: There are several online tools that you can use to test for directory listing vulnerabilities, such as DirBuster, DirSearch, and OWASP ZAP. These tools can help you automate the process of finding vulnerable directories and files.

  4. Practice websites: There are websites specifically designed for practicing web application security testing, such as HackThisSite.org and RootMe.org. These sites contain challenges and vulnerable web applications that you can use to practice your skills.

When testing for information disclosure through directory listing, it is important to take proper precautions to avoid causing damage to the web server or accessing sensitive data. Always seek permission before testing on a website or resource, and never attempt to exploit vulnerabilities on live systems without proper authorization.

Helpful open source tools from Github

Here are some tools on GitHub that can be used for pentesting, scanning, and auditing web projects for Information Disclosure Through Directory Listing vulnerability:

  1. Dirsearch: A simple command-line tool for brute-forcing directories and files in web servers.

  2. Gobuster: A popular command-line tool for directory and file brute-forcing in web servers.

  3. Dirb: Another command-line tool for directory and file brute-forcing in web servers.

  4. Nikto: An open-source web server scanner that can identify potential vulnerabilities in web applications.

  5. Wfuzz: A web application brute-forcing tool that can be used to discover hidden files and directories in web servers.

  6. FFUF: A fast web fuzzer that can be used to discover hidden files and directories in web servers.

  7. Nmap: A powerful network scanner that can be used to discover open ports and services on a target system.

  8. OWASP ZAP: A widely used web application scanner that can identify vulnerabilities in web applications.

  9. Burp Suite: A popular web application scanner and testing tool that can be used to identify vulnerabilities in web applications.

  10. Acunetix: A web application scanner that can identify vulnerabilities in web applications and APIs.

It’s worth noting that while these tools can be helpful in identifying vulnerabilities, they should only be used with the proper permissions and authorization. Additionally, it’s important to understand how to use these tools effectively in order to avoid false positives or accidentally damaging systems.

Conclusion 

Directory listing vulnerability is a type of security vulnerability that occurs when a web server is configured to allow directory browsing. In this case, if an attacker knows or can guess the name of a file or directory on the server, they can use a web browser or automated script to access the contents of that directory or file. This can lead to the disclosure of sensitive information, such as passwords, credit card numbers, or confidential documents.

To mitigate this vulnerability, website administrators can disable directory browsing on their servers and ensure that sensitive information is not stored in publicly accessible directories. They can also use security scanning tools to identify and address any existing vulnerabilities in their websites.

In general, it is important for website administrators and developers to be aware of the potential vulnerabilities in their systems and take steps to protect sensitive information from unauthorized access or disclosure.

Other Services

Ready to secure?

Let's get in touch