Contact us
Request demo →
Contact us

Open Directories: how does it work and what is the risk?

by Sebastiaan Bosman Blog 11 Nov 2021

Open directories are like online file storing systems to access files remotely. A directory works like a digital filing cabinet, organising folders and files such as invoices, back-ups, important mail, IP, and more. Having this operate via the cloud means you can access your files from anywhere. However, some directories lack security, also known as open directories, and are accessible to more people than you would like.

Security via obscurity?

Often, security of such files and directories is left until the end of the (development) process, making it more prone to being forgotten altogether. In addition, there is still a large misconception that if there are no direct connections to a directory, it is therefore safe. Protecting something by making it “hard to find” is, unfortunately, ineffective as there’s almost always a workaround. It’s still very much possible to detect directories without ‘clicking’ your way to them.

Instead, simply using sources such as Shodan, Censys, and Google Dorks allows anyone to insert a query for a list of open directories and data dumps of a certain file type. 

Directories via a web request

Even simpler, a well-formulated web request can result in the directory listing when there is no index file in the website category. Such Directory Listing is a feature that can be turned on or off. Acenutix explains: requesting a domain “without specifying a file (such as index.htmlindex.php, or default.asp), the web server processes this request, returns the index file for that directory, and the browser displays the website. However, if the index file did not exist and if directory listing was turned on, the web server would return the contents of the directory instead."

That looks something like this:

Example open directories


How bad is it?

The image above is illustrative of the kinds of directories and data files that are openly accessible in this way. These are leftover files, VPN files, and some database dumps. Though only one small data leak can have a huge impact on an organisation or individuals, the risk level increases when more of these files can be found.

We wanted to determine the extent of the problem. How many directories and files can be found with a relatively quick investigation? To find out, we used a combination of Shodan and our own Attack Surface Management platform to look for such open directories. The result: over 475,000 directories leading to millions of files, with some dumps as big as 30 gigabytes, from all over the world.

What did we find?

The research itself will be explained in more detail over the coming weeks, when we discuss the method and specific findings. We will also present a complete overview of the data dumps, exports, and leftover files we have found, and the potential impact of such data leaks. Our CISO Vincent Thiele and Security Analyst Soufian El Yadmani share their insights during our live webinar on 1 December. And most importantly: they will also explain how you can detect and prevent an incident from an open directory.

Click below to register and for more details about their webinar.

Register for the webinar >>

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us