Title

The web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. (Cat II impact)

Discussion

The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories without default pages. In the scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Check Content

Review the web server documentation and deployed configuration to locate all the web document directories. Verify that each web document directory contains a default hosted application web page that can be used by the web server in the event a web page cannot be found. If a document directory does not contain a default web page, this is a finding.

Fix Text

Place a default web page in every web document directory.

Additional Identifiers

Rule ID: SV-206411r961167_rule

Vulnerability ID: V-206411

Group Title: SRG-APP-000266

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.