Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Viewing a sites files and directories

I am wondering if it is possible to browse through a websites entire structure, similar to an ls(dir) command?  I am making a website and want to know if it is possible for someone to see a folder or file that I do not link to, but put in the sites folder.  Example, if the site is www.mysite.com, and the folder is www.mysite.com/myfolder,  I am wondering if I don't link to this folder, can someone browse my sites structure and see it?  I have the same question with files, if I have www.mysite.com/hidden.html, is it possible to find this file (and any others that are not linked to)?  If there is a way, what is it?  Thank you.
0
skabzalot
Asked:
skabzalot
2 Solutions
 
skabzalotAuthor Commented:
note:  www.mysite.com is not actually my site, just an example.
0
 
MaBCommented:
In IIS you would have to right click <default web site> choose properties and home directory. There you have a checkbox called Directory Browsing. With that checked visitors will be able to browse your directory.
0
 
chicagoanCommented:
In IIS and Apache browsing is a feature that can be turned on or off.
If it is turned off, generally one specifies a default document that will be served up when only the directory is specified in the URL, otherwise a 404 error is generated.
Nothing stops a person from fishing for documents unless you place them in an area that requires .htaccess or OS authentication.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
TooKoolKrisCommented:
How to Enable Directory Browsing on Virtual Directories
http://support.microsoft.com/default.aspx?scid=kb;en-us;239053

Creating a Directory Browsing Page Using ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;224364

WWW and FTP Virtual Directories Are Not Displayed in Directory Listings
http://support.microsoft.com/default.aspx?scid=kb;en-us;247376

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/default.aspx?scid=kb;en-us;313075
0
 
skabzalotAuthor Commented:
so if I turn browsing off, then is there a way to do it?  A program or something?
0
 
chicagoanCommented:
There are website 'cloning' applications that start at the homepage and follow all the links.
These utilities aren't much good these days as as java and asp mask a lot of the site, they worked when sites were mostly a collection of static pages.
i.e http://www.bluesquirrel.com/products/grabasite/index.html?ASCID=1161

and one could script a brute force atttack,

but there is no http command that will over-ride the web server setup and enumetate the directories, short of a newly discovered vulnerability.

0
 
Joseph_MooreCommented:
I know of one program called IntelliTamper that can do this. It does more then just "spider" a site - follow each link on each page to the next page. It can acutally search through a site and find other files that are NOT linked off any existing page. I have tested this, and I just don't understand how it does it!
I used it on a friend's website once to find his resume that he didn't realize was up in his webspace!

http://www.intellitamper.com/

0
 
chicagoanCommented:
"Discover hidden files and folders with a words dictionary search"
A more focused attack than brute force, but the same idea.
0
 
jeaneyCommented:
Just make sure there's an index.html in each directory.
This would ensure that they see a webpage rather than a directory listing.

You could maybe put a redirect into it to bring the attacker to your home page.

0
 
ewallCommented:
You can help lockdown your site from prying eyes with the following:

* Using the "IndexIgnore *" directive in your .htaccess file (if your webserver is Apache or its copycats) - see http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexignore

* Using a robots.txt file - see http://www.robotstxt.org/

~ewall
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now