Javascript Express Directory Listing
Description
This vulnerability detector identifies Express.js applications that enable directory listing functionality, which can expose the internal structure and sensitive files of the web server. When directory listing is enabled, attackers can browse directories and potentially access configuration files, source code, or other sensitive data that should not be publicly accessible.
Detection Strategy
• The detector scans JavaScript source code for Express.js applications
• It identifies when Express.js is configured to serve static files with directory listing enabled
• Specifically looks for calls to serve-index
• Triggers a vulnerability report when directory browsing capabilities are explicitly enabled in the Express configuration
Vulnerable code example
import express from "express";
import serveIndex from "serve-index";
const app = express();
// Directory listing enabled - exposes file structure
app.use("/uploads", serveIndex("uploads", { icons: true }));
...✅ Secure code example
import express from "express";
import serveIndex from "serve-index";
const app = express();
// Access control middleware
function requireAuth(req, res, next) {
if (req.headers.authorization === "admin") return next();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.