What is a Directory Indexing vulnerability ?


Exemple d'Index Apache pour illuster la faille Directory Indexing

Directory Indexing (also called Directory Browsing or Listing) consists in allowing visitors to access indexes. Thus the user can view and download the content of a directory located on a server.

The danger comes from the total access the attacker may have to all the files present in the architecture of our web application. Users may access to informations, they usually can't get, such as configuration files. These ones contain information about the database or other third-party services used by the application, so it should not be exposed on the internet.


How to protect yourself against Directory Indexing vulnerabilities ?


The solution to this problem lies in the server. Just tell the web server not to list the directories. To do this, you must change the Apache configuration file and add the "Options -Indexes" option. You can also add this option in a ".htaccess" file, however you would rather change the configuration file directly.

If you work on a Nginx server you must add the following lines in the configuration file:

location /{YOUR DIRECTORY} {
autoindex off;
}