Directory Indexing occurs when a web server displays a file listing of a directory instead of the intended web page — typically because no default file (index.html, home.html, etc.) is present. While potentially harmless alone, it creates an information leakage vector that aids further attacks.

What Attackers Can Discover

• Backup files with extensions .bak, .old, .orig
• Temporary files not properly purged from the server
• Hidden files starting with a period (.)
• Naming conventions that reveal directory and admin path structure
• Configuration files (.conf, .cfg) containing access control data
• Script code in /cgi-bin/ if permissions are misconfigured

Controlling Indexing with .htaccess

# Disable all directory listing
Options -Indexes
# Block all files from appearing in listings
IndexIgnore *

The .htaccess file must be uploaded as ASCII (not binary) and set to permissions 644 to prevent browsers from reading it directly.

Prevention Guidance

• Disable directory indexing in the web server’s Options Directive unless specifically required.
• Use mod_security to detect directory-listing output in the HTTP response stream.
• Ensure all directories that should not be browsable have a default index file or explicit deny rule.
• Audit web server configurations after any structural changes.