Viewing a sites files and directories

I am wondering if it is possible to browse through a websites entire structure, similar to an ls(dir) command?  I am making a website and want to know if it is possible for someone to see a folder or file that I do not link to, but put in the sites folder.  Example, if the site is www.mysite.com, and the folder is www.mysite.com/myfolder,  I am wondering if I don't link to this folder, can someone browse my sites structure and see it?  I have the same question with files, if I have www.mysite.com/hidden.html, is it possible to find this file (and any others that are not linked to)?  If there is a way, what is it?  Thank you.
skabzalotAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

skabzalotAuthor Commented:
note:  www.mysite.com is not actually my site, just an example.
0
MaBCommented:
In IIS you would have to right click <default web site> choose properties and home directory. There you have a checkbox called Directory Browsing. With that checked visitors will be able to browse your directory.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chicagoanCommented:
In IIS and Apache browsing is a feature that can be turned on or off.
If it is turned off, generally one specifies a default document that will be served up when only the directory is specified in the URL, otherwise a 404 error is generated.
Nothing stops a person from fishing for documents unless you place them in an area that requires .htaccess or OS authentication.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

TooKoolKrisCommented:
How to Enable Directory Browsing on Virtual Directories
http://support.microsoft.com/default.aspx?scid=kb;en-us;239053

Creating a Directory Browsing Page Using ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;224364

WWW and FTP Virtual Directories Are Not Displayed in Directory Listings
http://support.microsoft.com/default.aspx?scid=kb;en-us;247376

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;313075
0
skabzalotAuthor Commented:
so if I turn browsing off, then is there a way to do it?  A program or something?
0
chicagoanCommented:
There are website 'cloning' applications that start at the homepage and follow all the links.
These utilities aren't much good these days as as java and asp mask a lot of the site, they worked when sites were mostly a collection of static pages.
i.e http://www.bluesquirrel.com/products/grabasite/index.html?ASCID=1161

and one could script a brute force atttack,

but there is no http command that will over-ride the web server setup and enumetate the directories, short of a newly discovered vulnerability.

0
Joseph_MooreCommented:
I know of one program called IntelliTamper that can do this. It does more then just "spider" a site - follow each link on each page to the next page. It can acutally search through a site and find other files that are NOT linked off any existing page. I have tested this, and I just don't understand how it does it!
I used it on a friend's website once to find his resume that he didn't realize was up in his webspace!

http://www.intellitamper.com/

0
chicagoanCommented:
"Discover hidden files and folders with a words dictionary search"
A more focused attack than brute force, but the same idea.
0
jeaneyCommented:
Just make sure there's an index.html in each directory.
This would ensure that they see a webpage rather than a directory listing.

You could maybe put a redirect into it to bring the attacker to your home page.

0
ewallCommented:
You can help lockdown your site from prying eyes with the following:

* Using the "IndexIgnore *" directive in your .htaccess file (if your webserver is Apache or its copycats) - see http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexignore

* Using a robots.txt file - see http://www.robotstxt.org/

~ewall
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.