Directory Indexing
Attack Pattern ID: 127 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker crafts a request to a target that results in the target listing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An attacker can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, configuration files, as well as naming patterns, all of which can be used by an attacker to mount additional attacks.

+ Attack Prerequisites

The target must be configured to return a list of a directory's contents when it receives a request that ends in a directory name rather than a file name.

The attacker must be able to control the path of a request processed by the target.

+ Resources Required

A client capable of interactions with the target.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern154Resource Location Attacks 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory349WASC Threat Classification 2.0 - WASC-16 - Directory Indexing 
WASC Threat Classification 2.0333
Back to top