Fluid Attacks Database

Description

Detects when directory browsing/listing is explicitly enabled in ASP.NET Core applications via UseDirectoryBrowser(). This configuration allows users to view directory contents through the web browser, potentially exposing sensitive files and information to unauthorized users.

Weakness:

125 - Directory listing

Category: Information Collection

Detection Strategy

• Identifies calls to UseDirectoryBrowser() method in application code

• Verifies the call occurs within a Configure() method, which handles application startup configuration

• Reports a vulnerability when directory browsing is explicitly enabled through this configuration

Vulnerable code example

using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.FileProviders;
using System.IO;

public class DirectoryConfig
{
    public void Configure(IApplicationBuilder app)
    {...

✅ Secure code example

using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.FileProviders;
using Microsoft.AspNetCore.Authorization;
using System.IO;

public class DirectoryConfig 
{
    public void Configure(IApplicationBuilder app)...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.