Fluid Attacks Database

Description

This detector identifies web servers that have directory listing enabled, which exposes the contents of directories when no index file is present. This configuration allows attackers to browse server directories and potentially access sensitive files, source code, configuration files, or other resources that should not be publicly accessible.

Weakness:

080 - Business information leak - Customers or providers

Category: Information Collection

Detection Strategy

• Makes HTTP requests to target URLs and analyzes the HTML response content

• Parses the response to detect directory listing pages from Apache, Nginx, or IIS web servers

• Reports a vulnerability when the response contains characteristic HTML patterns that indicate an active directory listing page

• Triggers on any URL that returns a directory listing interface, regardless of the specific directory path

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.