When we talk about web security, most people think about SQL Injection, XSS, or authentication bypass. But sometimes, the real danger is something very simple — Directory Listing.
It doesn’t need complex payloads.
It doesn’t need advanced tools.
Sometimes, you just type a URL… and the server shows you everything.
What is Directory Listing?
Directory Listing (also called Directory Browsing) happens when a web server allows users to view the contents of a folder on the server.
Instead of showing a normal webpage, the server displays a list of files and folders inside that directory.
For example:
Instead of showing an error or redirecting, the page displays:
- backup.zip
- database.sql
- config.php
- images/
- test.html
Now imagine what an attacker sees
That’s free information.
Why Does This Happen?
Directory listing is usually enabled by mistake.
Web servers like:
- Apache HTTP Server
- Nginx
- Microsoft IIS
have configuration settings that control whether folder contents can be displayed.
If:
- There is no index.html or index.php file
- And directory browsing is enabled
The server automatically shows the file list.
Simple misconfiguration. Big impact.
Why is Directory Listing Dangerous?
While it may seem harmless at first, directory listing can lead to serious security risks:
- Sensitive File Exposure: Backup files (backup.zip), configuration files (config.php, .env), or log files may be accessible.
- Information Disclosure: Exposed internal structure of your application, revealing naming conventions and paths.
- Reconnaissance Support: Attackers can find potential entry points or files that can be further exploited.
- Direct Download of Confidential Data: If a developer accidentally stores credentials or source code in a public folder, it could be freely downloaded.
Example of a directory listing attack
A user makes a website request to www.vulnweb.com/admin/. The response from the server includes the directory content of the directory admin, as seen in the below screenshot.
Fig 1. From the above directory listing, you can see that in the admin directory, there is a sub-directory called backup, which might include enough information for an attacker to craft an attack.
Fig 2. The attacker can display the whole list of files in the backup directory. This directory includes sensitive files such as password files, database files, FTP logs, and PHP scripts. It is obvious that this information was not intended for public viewing.
A web server misconfiguration has caused a file list disclosure and the data is publicly available. Worse still, files like these, such as FTP logs, might contain other sensitive information, potentially including usernames, IP addresses, or the complete directory structure of the web hosting operating system.
How Attackers Find Directory Listing
It’s easier than you think.
Manual Method
Security testers simply try common paths:
- /uploads/
- /backup/
- /admin/
- /images/
- /logs/
If it opens and shows files → Vulnerable.
Automated Tools
Tools like:
- Burp Suite
- OWASP ZAP
- Dirb
can quickly detect exposed directories during VAPT.
How to mitigate directory listing vulnerabilities?
To disable directory listing and mitigate any vulnerabilities on a specific web server, you need to change the web server configuration. This means you need to have administrator access to that web server.
In the following blog post, you can find practical tutorials on how to disable directory listing for all popular web servers, including Nginx Apache HTTPD, Tomcat, Microsoft IIS, and more: How you can disable directory listing on your web server — and why you should.
References
Vulnerability classifications
USA