![]() ![]() It is obvious that this information was not intended for public view. This directory includes sensitive files such as password files, database files, FTP logs, and PHP scripts. The attacker can display the whole list of files in the backup directory. Directory Listing ExampleĪ user makes a website request to The response from the server includes the directory content of the directory admin, as seen in the below screenshot.įrom the above directory listing, you can see that in the admin directory there is a sub-directory called backup, which might include enough information for an attacker to craft an attack. Such data allows the attacker to gain the information needed without having to exploit vulnerabilities. For example, Google’s cache database might contain historical data for a target, which previously had directory listing enabled. For example, there was an old Apache Tomcat vulnerability, where improper handling of null bytes ( %00) and backslash ( \) made it prone to directory listing attacks.Īttackers might also discover directory indexes using cached or historical data contained in online databases. ![]() Directory Browsing Without Directory ListingĮven if directory listing is disabled on a web server, attackers might discover and exploit web server vulnerabilities that let them perform directory browsing. This is why directory listing should never be turned on, especially in the case of dynamic websites and web applications, including WordPress sites. This means that black hat hackers can also find such files easily. Many web vulnerability scanners such as Acunetix easily discover such directories and all files if directory listing is turned on. They assume that if there are no links to files in a directory, nobody can access them. Many webmasters follow security through obscurity. However, if the index file did not exist and if directory listing was turned on, the web server would return the contents of the directory instead. It is dangerous to leave this function turned on for the web server because it leads to information disclosure.įor example, when a user requests without specifying a file (such as index.html, index.php, or default.asp), the web server processes this request, returns the index file for that directory, and the browser displays the website. Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |