What is Directory Indexing

Definition

Directory indexing vulnerability is one of the security vulnerabilities that can occur in web applications. This vulnerability can occur when a web application dynamically generates directory paths without validating user input.

It is a vulnerability where a specific directory automatically displays a directory listing when the initial page (index.html, home.html, default.asp, etc.) does not exist in that directory.

Vulnerability Occurrence Points

• All pages

Vulnerability Verification Methods

• When example.com/path1/path2/page is given, test example.com/path1/path2/.

• When example.com/path1/path2/page is given, test example.com/path1/../../../.

• When example.com/ is given, test example.com/index.php.

• When example.com/ is given, test example.com/.

• In the case of php+apache, default generated files include:

  • /var/www/html/*index.php

  • /var/www/html/.htaccess

  • /etc/php/*php.ini

  • /var/log/apache2/*error_log

  • /var/log/apache2/*access_log

Attack Method

Attack Scenario

1. The attacker investigates the path in the address bar.

2. The attacker confirms that user input affects the directory path.

3. The attacker attempts to exploit by using the directory path to access the web server's file system or call executable files.

Occurrence Process

Detailed Process Explanation

1. The web application dynamically generates directory paths based on user input.

2. Due to the vulnerability, the directory path is exposed to malicious users.

3. The attacker uses the exposed directory path to attempt to access the web server's file system or call executable files.

Countermeasures

1. Validate User Input: Perform validation on values received from users to restrict them to allowed characters or formats. For example, define a set of allowed characters or limit the length of input values.

2. Use Whitelist Filtering: Process user input using whitelist filtering to only allow directory names that are explicitly permitted, rejecting other characters or path separators.

3. Use Path Mapping: Instead of dynamically generating directory paths based on user input, use a directory mapping table to map input values to actual directory paths. This way, user input doesn't need to be directly applied to directory paths.