Rule Definition
A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.

Remediation
Do not list the ressources of a directory.

Violation Code Sample

# Sample 1 - configuration file web.xml

<init-param>
    <param-name>listings</param-name>
    <param-value>true</param-value>  // VIOLATION
</init-param>


# Sample 2 - source file *.java for Spring

ServletRegistrationBean<DefaultServlet> registrationBean = new ServletRegistrationBean<>(new DefaultServlet(), "/files/*");
registrationBean.addInitParameter("listings", "true");  // VIOLATION


# Sample 3 - source file *.java for Jetty

WebAppContext webAppContext = new WebAppContext();
defaultServletHolder.setInitParameter("dirAllowed", "true");  // VIOLATION

Fixed Code Sample

# Remediation sample 1 - configuration file web.xml

<init-param>
    <param-name>listings</param-name>
    <param-value>false</param-value>  // FIXED
</init-param>


# Remediation sample 2 - source file *.java for Spring

ServletRegistrationBean<DefaultServlet> registrationBean = new ServletRegistrationBean<>(new DefaultServlet(), "/files/*");
registrationBean.addInitParameter("listings", "false");  // FIXED


# Remediation sample 3 - source file *.java for Jetty

WebAppContext webAppContext = new WebAppContext();
defaultServletHolder.setInitParameter("dirAllowed", "true");  // FIXED

CWE-548: Exposure of Information Through Directory Listing https://cwe.mitre.org/data/definitions/548.html OWASP Top Ten 2021 Category A01:2021 - Broken Access Control https://owasp.org/Top10/A01_2021-Broken_Access_Control/