Directory Listing Vulnerability
Updated June 17, 2026
3 min read
A directory listing vulnerability occurs when a web server returns an auto-generated index of files for a folder that has no index page (like index.html or index.php). Instead of a 403 Forbidden or 404 Not Found, the visitor gets a clickable list of every file in that directory.
What is a directory listing vulnerability?
When you request a URL that points to a directory rather than a specific file, the web server looks for a default index document. If one exists, it serves it. If none exists, the server has two choices: deny the request, or generate a listing of the directory's contents on the fly.
Both nginx (autoindex on) and Apache (the Indexes option) can produce that listing. It is a convenience feature for file-sharing setups, but on a normal website it is a misconfiguration. The page that comes back shows file names, sizes, and modification dates for everything in the folder — including files you never intended to be discoverable.
This maps to OWASP A05: Security Misconfiguration and is a classic information-exposure issue. It rarely causes direct compromise on its own, but it hands an attacker a map.
Why it's a risk / how it's exploited
Directory listing turns reconnaissance from guesswork into reading. An attacker browsing https://example.com/backups/ might find:
database.sql.bakordump.sql— a full database export left on disk after a migration.config.php.old,.env.bak,wp-config.php~— credentials and API keys in editor backup copies.- Source archives like
site.ziporrelease.tar.gzthat reveal your entire codebase, including server-side logic and secrets. - Upload folders exposing other users' documents, invoices, or private media.
A real attack chain often starts here: the attacker lists /uploads/, spots a forgotten admin.zip, downloads it, reads the database password from a config file inside, and pivots to full account takeover. None of that requires a single exploit — just a server willing to show its file index. Search engines and automated bots also crawl these listings, so exposed backups can end up indexed and searchable long after you forget they exist.
How to detect it
Request a directory path with no index file and watch the response. Pick a folder you know exists (assets, uploads, an old project directory) and append a trailing slash:
curl -s https://example.com/uploads/ | head -n 20
If you see HTML titled Index of /uploads with a table of file links, listing is enabled. A safe site returns 403 Forbidden, an empty 200, or a 404. Check the directories most likely to hold sensitive files: /backup/, /old/, /uploads/, /files/, /.git/, and any deploy or temp folders.
Doing this by hand across a whole site is tedious and easy to get wrong, especially on sites with hundreds of paths. An automated vulnerability scan crawls your site, probes common directory names, and flags any folder that returns an index — alongside the rest of your OWASP Top 10 exposure. See how to scan a website for vulnerabilities for the full workflow.
How to fix it
Disable auto-indexing globally, then keep it off everywhere except the rare folder that genuinely needs it.
nginx — autoindex is off by default, so the fix is usually to remove or correct a stray autoindex on;. To be explicit:
location / {
autoindex off;
}
Apache — remove the Indexes option from the relevant <Directory> block, or override it in .htaccess:
<Directory /var/www/html>
Options -Indexes
</Directory>
Or in a per-directory .htaccess:
Options -Indexes
Two more steps that close the gap completely:
- Stop storing sensitive files under the web root. Backups, dumps, and archives belong outside the served directory entirely — disabling listing only hides them from casual browsing, not from someone who guesses the filename.
- Add an index file (even an empty
index.html) to folders like/uploads/as defense in depth, so a misconfiguration elsewhere can't expose them.
FAQ
Is directory listing always a vulnerability? No. On a deliberate public file mirror it's intended behavior. It becomes a vulnerability when it exposes a folder that should be private — which is the default situation for application directories, uploads, and backups.
Does disabling listing protect the files themselves? Only from being browsed. Anyone who knows or guesses the exact URL can still download the file. Move sensitive files out of the web root and apply proper access control.
Not sure which of your directories are exposed? Run a free website vulnerability scan to find directory listings, leftover backups, and other security misconfigurations before someone else does.
