Applies to
Applications written using Servlets or JSP.
What to Do
Disable directory browsing for your application's web directories.
Why
Directory browsing allows an attacker to browse your application's directory structure in search of unprotected files and components.
When
Disable directory browsing at all times.
How
Use the following steps to successfully disable directory browsing:
-
Identify if directory browsing is enabled. Navigate to your application's directories. Identify whether your application's server correctly returns an HTTP error message. If it incorrectly returns the directory contents, continue with the following steps.
-
Locate the default servlet's configuration. Open your application's deployment descriptor (e.g. web.xml), and locate the default servlet's configuration. If the default servlet is present, it is mapped to the root directory of your application. Example:
<servlet>
<servlet-name>default_servlet</servlet-name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>default_servlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping> -
Deny directory browsing in the default servlet's configuration. Initialize the default servlet with the parameter listings set to false. Example:
<servlet>
<servlet-name>default_servlet</servlet-name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>default_servlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping> -
Ensure your JSP files are located under the WEB-INF/ directory of your web application. This ensures that an attacker cannot directly access those pages, however your application can perform internal forwards to these pages.