Solved

Viewing a sites files and directories

Posted on 2003-12-04
13
360 Views
Last Modified: 2010-04-11
I am wondering if it is possible to browse through a websites entire structure, similar to an ls(dir) command?  I am making a website and want to know if it is possible for someone to see a folder or file that I do not link to, but put in the sites folder.  Example, if the site is www.mysite.com, and the folder is www.mysite.com/myfolder,  I am wondering if I don't link to this folder, can someone browse my sites structure and see it?  I have the same question with files, if I have www.mysite.com/hidden.html, is it possible to find this file (and any others that are not linked to)?  If there is a way, what is it?  Thank you.
0
Comment
Question by:skabzalot
13 Comments
 

Author Comment

by:skabzalot
ID: 9872969
note:  www.mysite.com is not actually my site, just an example.
0
 
LVL 7

Accepted Solution

by:
MaB earned 125 total points
ID: 9873181
In IIS you would have to right click <default web site> choose properties and home directory. There you have a checkbox called Directory Browsing. With that checked visitors will be able to browse your directory.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 125 total points
ID: 9874279
In IIS and Apache browsing is a feature that can be turned on or off.
If it is turned off, generally one specifies a default document that will be served up when only the directory is specified in the URL, otherwise a 404 error is generated.
Nothing stops a person from fishing for documents unless you place them in an area that requires .htaccess or OS authentication.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9874527
How to Enable Directory Browsing on Virtual Directories
http://support.microsoft.com/default.aspx?scid=kb;en-us;239053

Creating a Directory Browsing Page Using ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;224364

WWW and FTP Virtual Directories Are Not Displayed in Directory Listings
http://support.microsoft.com/default.aspx?scid=kb;en-us;247376

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;313075
0
 

Author Comment

by:skabzalot
ID: 9877145
so if I turn browsing off, then is there a way to do it?  A program or something?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 18

Expert Comment

by:chicagoan
ID: 9877537
There are website 'cloning' applications that start at the homepage and follow all the links.
These utilities aren't much good these days as as java and asp mask a lot of the site, they worked when sites were mostly a collection of static pages.
i.e http://www.bluesquirrel.com/products/grabasite/index.html?ASCID=1161

and one could script a brute force atttack,

but there is no http command that will over-ride the web server setup and enumetate the directories, short of a newly discovered vulnerability.

0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9879398
I know of one program called IntelliTamper that can do this. It does more then just "spider" a site - follow each link on each page to the next page. It can acutally search through a site and find other files that are NOT linked off any existing page. I have tested this, and I just don't understand how it does it!
I used it on a friend's website once to find his resume that he didn't realize was up in his webspace!

http://www.intellitamper.com/

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9879596
"Discover hidden files and folders with a words dictionary search"
A more focused attack than brute force, but the same idea.
0
 
LVL 1

Expert Comment

by:jeaney
ID: 9978000
Just make sure there's an index.html in each directory.
This would ensure that they see a webpage rather than a directory listing.

You could maybe put a redirect into it to bring the attacker to your home page.

0
 
LVL 3

Expert Comment

by:ewall
ID: 10509552
You can help lockdown your site from prying eyes with the following:

* Using the "IndexIgnore *" directive in your .htaccess file (if your webserver is Apache or its copycats) - see http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexignore

* Using a robots.txt file - see http://www.robotstxt.org/

~ewall
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now