ZAP – Directory Browsing

Details
Alert ID	0
Alert Type	Active
Status	release
Risk	Medium
CWE	548
WASC	48
Technologies Targeted	All
Tags	CWE-548 OWASP_2017_A05 OWASP_2021_A01 POLICY_API POLICY_PENTEST POLICY_QA_CICD POLICY_QA_FULL POLICY_QA_STD SYSTEMIC
More Info	Scan Rule Help

Summary

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Other Info

References

https://httpd.apache.org/docs/current/mod/core.html#options

Code

org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java