One common tomcat web server issue is directory listing that’s can cause to hackers attacked. By default tomcat directory listing is enabled or some developers set as enabled then it’s create a Information Disclosure Issue (leakage of sensitive information).
In your website/application if directory listing is enabled and index page is not configured as index.html or index.php then on typing the context path or URL till directory will display the list of directory and file as below and user/hacker can see all these files sensitive information.
As you can see from the above screenshot, the directory listing feature generates an output similar to command (‘dir’ or ‘ls’) on an operating system. Directory listing issues can not protect from a SSL certificate. However, These types of issue can be identified by running through vulnerabilities scanner on your application through Microfocus Web inspect.
As a solution to disable directory listing depends on the tomcat server because in some of Spring boot application use tomcat as embedded server:
- Disable directory listing on embedded tomcat in Spring boot
- Disable directory listing on external tomcat server
Disable directory Listing on embedded tomcat in Spring boot
In Spring boot application where tomcat is defined as embedded tomcat then the application is deployed as jar and there is no web.xml file the you have to define this property setting on your application.properties / application.yml file to disable directory listing.
Disable directory listing on external tomcat server
When you deploy your application using package as war on external tomcat server then you have to make these changes on your web.xml file to disable the directory listing on external tomcat server.
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>
Here in above xml in web.xml file the init-param tag for listing is defined as false to disable the directory listing for application on web application.
f you are using the other web servers then you can check these configuration through below link.
Let us know your thought on this post.
Happy Learning !!!