[Solved] Disable Directory Listing in Spring Boot Tomcat server for Web application


One common tomcat web server issue is directory listing that’s can cause to hackers attacked. By default tomcat directory listing is enabled or some developers set as enabled then it’s create a Information Disclosure Issue (leakage of sensitive information).

In your website/application if directory listing is enabled and index page is not configured as index.html or index.php then on typing the context path or URL till directory will display the list of directory and file as below and user/hacker can see all these files sensitive information.

Tomcat Directory Listing Enabled

As you can see from the above screenshot, the directory listing feature generates an output similar to command (‘dir’ or ‘ls’) on an operating system. Directory listing issues can not protect from a SSL certificate. However, These types of issue can be identified by running through vulnerabilities scanner on your application through Microfocus Web inspect.

Solutions

As a solution to disable directory listing depends on the tomcat server because in some of Spring boot application use tomcat as embedded server:

  • Disable directory listing on embedded tomcat in Spring boot
  • Disable directory listing on external tomcat server

Disable directory Listing on embedded tomcat in Spring boot

In Spring boot application where tomcat is defined as embedded tomcat then the application is deployed as jar and there is no web.xml file the you have to define this property setting on your application.properties / application.yml file to disable directory listing.

server.servlet.jsp.init-parameters.listings=false

Disable directory listing on external tomcat server

When you deploy your application using package as war on external tomcat server then you have to make these changes on your web.xml file to disable the directory listing on external tomcat server.

<servlet>
      <servlet-name>default</servlet-name>
      <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
      <init-param>
           <param-name>debug</param-name>
           <param-value>0</param-value>
      </init-param>
      <init-param>
           <param-name>listings</param-name>
           <param-value>false</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
 </servlet>

Here in above xml in web.xml file the init-param tag for listing is defined as false to disable the directory listing for application on web application.

f you are using the other web servers then you can check these configuration through below link.

https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/

Let us know your thought on this post.

Happy Learning !!!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s