Back to Glossary
medium severity · Vulnerability Glossary

Directory Listing Vulnerability

Updated June 17, 2026

3 min read

directory listing vulnerability
directory listing
autoindex
Options -Indexes
security misconfiguration
information disclosure
directory indexing
OWASP A05

A directory listing vulnerability occurs when a web server returns an auto-generated index of files for a folder that has no index page (like index.html or index.php). Instead of a 403 Forbidden or 404 Not Found, the visitor gets a clickable list of every file in that directory.

What is a directory listing vulnerability?

When you request a URL that points to a directory rather than a specific file, the web server looks for a default index document. If one exists, it serves it. If none exists, the server has two choices: deny the request, or generate a listing of the directory's contents on the fly.

Both nginx (autoindex on) and Apache (the Indexes option) can produce that listing. It is a convenience feature for file-sharing setups, but on a normal website it is a misconfiguration. The page that comes back shows file names, sizes, and modification dates for everything in the folder — including files you never intended to be discoverable.

This maps to OWASP A05: Security Misconfiguration and is a classic information-exposure issue. It rarely causes direct compromise on its own, but it hands an attacker a map.

Why it's a risk / how it's exploited

Directory listing turns reconnaissance from guesswork into reading. An attacker browsing https://example.com/backups/ might find:

  • database.sql.bak or dump.sql — a full database export left on disk after a migration.
  • config.php.old, .env.bak, wp-config.php~ — credentials and API keys in editor backup copies.
  • Source archives like site.zip or release.tar.gz that reveal your entire codebase, including server-side logic and secrets.
  • Upload folders exposing other users' documents, invoices, or private media.

A real attack chain often starts here: the attacker lists /uploads/, spots a forgotten admin.zip, downloads it, reads the database password from a config file inside, and pivots to full account takeover. None of that requires a single exploit — just a server willing to show its file index. Search engines and automated bots also crawl these listings, so exposed backups can end up indexed and searchable long after you forget they exist.

How to detect it

Request a directory path with no index file and watch the response. Pick a folder you know exists (assets, uploads, an old project directory) and append a trailing slash:

curl -s https://example.com/uploads/ | head -n 20

If you see HTML titled Index of /uploads with a table of file links, listing is enabled. A safe site returns 403 Forbidden, an empty 200, or a 404. Check the directories most likely to hold sensitive files: /backup/, /old/, /uploads/, /files/, /.git/, and any deploy or temp folders.

Doing this by hand across a whole site is tedious and easy to get wrong, especially on sites with hundreds of paths. An automated vulnerability scan crawls your site, probes common directory names, and flags any folder that returns an index — alongside the rest of your OWASP Top 10 exposure. See how to scan a website for vulnerabilities for the full workflow.

How to fix it

Disable auto-indexing globally, then keep it off everywhere except the rare folder that genuinely needs it.

nginxautoindex is off by default, so the fix is usually to remove or correct a stray autoindex on;. To be explicit:

location / {
    autoindex off;
}

Apache — remove the Indexes option from the relevant <Directory> block, or override it in .htaccess:

<Directory /var/www/html>
    Options -Indexes
</Directory>

Or in a per-directory .htaccess:

Options -Indexes

Two more steps that close the gap completely:

  • Stop storing sensitive files under the web root. Backups, dumps, and archives belong outside the served directory entirely — disabling listing only hides them from casual browsing, not from someone who guesses the filename.
  • Add an index file (even an empty index.html) to folders like /uploads/ as defense in depth, so a misconfiguration elsewhere can't expose them.

FAQ

Is directory listing always a vulnerability? No. On a deliberate public file mirror it's intended behavior. It becomes a vulnerability when it exposes a folder that should be private — which is the default situation for application directories, uploads, and backups.

Does disabling listing protect the files themselves? Only from being browsed. Anyone who knows or guesses the exact URL can still download the file. Move sensitive files out of the web root and apply proper access control.


Not sure which of your directories are exposed? Run a free website vulnerability scan to find directory listings, leftover backups, and other security misconfigurations before someone else does.