URL such as: http://www.example   using the domain name and

excluding a specific file.  The web server processes this request and

searches the document root directory for the default file name and

sends this page to the client.  If this page is not present, the web

server will issue a directory listing and send the output to the client.

Essentially, this is equivalent to issuing an "ls" (Unix) or "dir"

(Windows) command within this directory and showing the results in

HTML form.  From an attack and countermeasure perspective, it is

important to realize that unintended directory listings may be possible

due to software vulnerabilities (discussed in the example section

below) combined with a specific web request.

When a web server reveals a directory s contents, the listing could

contain information not intended for public viewing.  Often web

administrators rely on "Security Through Obscurity" assuming that if

there are no hyperlinks to these documents, they will not be found, or

no one will look for them. The assumption is incorrect. Today's

vulnerability scanners, such as Nikto, can dynamically add additional

directories/files to include in their scan based upon data obtained in

initial probes.  By reviewing the /robots.txt file and/or viewing

directory indexing contents, the vulnerability scanner can now

interrogate the web server further with these new data.  Although

potentially harmless, Directory Indexing could allow an information

leak that supplies an attacker with the information necessary to

launch further attacks against the system.

Example

The following information could be obtained based on directory

indexing data:

   Backup files   with extensions such as .bak, .old or .orig

   Temporary files   these are files that are normally purged from

the server but for some reason are still available

   Hidden files   with filenames that start with a "." period.

45

Copyright 2004, Web Application Security Consortium. All rights reserved.