When a web server (like Apache or Nginx) receives a request for a folder but cannot find a default file (e.g., index.php or index.html ), it may automatically generate a page listing every file and subdirectory within that folder.
| Method | Description | Success Condition | |--------|-------------|-------------------| | | PUT request via cadaver or curl -X PUT | WebDAV enabled on directory | | Insecure Upload Form | Found via crawling or guessing /upload.html | No authentication/file validation | | Writeable Directory via FTP | Uploaded via compromised FTP credentials | Directory permissions = 777 | index of parent directory uploads install
Hackers often use "Google Dorks" (special search queries) to find these open directories and exploit them. How to Disable Directory Listing When a web server (like Apache or Nginx)
The web server is configured to allow directory listing. When a user navigates to the directory path without specifying a default file (e.g., index.html or index.php ), the server generates a dynamic HTML page listing all files and subdirectories within that path. When a user navigates to the directory path
# Find all directories with indexing enabled find /var/www/html -type d -exec sh -c 'echo "{}: $(curl -s -o /dev/null -w "%http_code" {}/)"' \;