Featuring a security analyst with boundary issues (the good kind), a server that couldn’t keep a secret, and the world’s most polite directory scanner.

TL;DR: Find open directory listings without being that person who reads everyone’s diary. Scan, collect IOCs, report responsibly, repeat.

cat urls.txt | dirlstr -c 40 | tee open-dirs.txt

Use it: https://github.com/cybercdh/dirlstr

Meet Dina Directory, senior security analyst at Corporate Corp and three-time winner of “Most Likely to Return Your Pen.” Dina had principles: never read private files, always knock first, and absolutely never—never—download that 4GB database backup just to prove a point. Her coffee mug (Gerald III, ceramic, judgmental) bore witness to her latest crusade: finding every open directory listing before the hackers did.

It started innocently. Tuesday, 3 PM, routine asset review. Dina was clicking through subdomains like a pianist warming up when she hit staging.corporate-corp.com/uploads/. Instead of a 403 Forbidden or a login page, Apache greeted her with its most honest face: “Index of /uploads” followed by a parade of files marching down the page like ants at a picnic.

“Gerald,” she said to her mug, “we’ve got a situation.”

The situation was 47 subdomains, each potentially hosting its own digital yard sale. Dina could check them manually, but she’d already done that dance last month and her carpal tunnel was unionizing. Time for automation, but with manners.

dirlstr was born from this exact frustration—the tool that finds open doors but doesn’t rifle through the medicine cabinet. Think of it as a metal detector for directory listings: it beeps, you investigate, nobody gets arrested.

The tool’s philosophy matched Dina’s perfectly: observe, don’t interact. Like a nature documentarian filming lions—you can see them eating the gazelle, but you don’t join the feast.

Here’s how Dina’s Tuesday became legendary:

# Step 1: The reconnaissance (like window shopping, but for vulnerabilities)
assetfinder -subs-only corporate-corp.com | httpx -silent | tee urls.txt

# Step 2: The surgical strike (find the open doors)
cat urls.txt | dirlstr -c 40 | tee open-dirs.txt

# Step 3: The evidence collection (what's visible from the sidewalk)
rg -NI "(backup|\.sql|\.zip|config|password)" open-dirs.txt | tee concerning-files.txt

By 4 PM, Dina had a list. By 4:15, she’d found:

  • backup-final-FINAL-v2-USE-THIS-ONE.zip (a classic)
  • database_dump_2023_do_not_delete.sql (narrator: they didn’t delete it)
  • passwords_plaintext.txt (Dina’s eye twitched)
  • An entire folder called /definitely-not-production-data/

“Gerald,” Dina said, “either we’re being pranked or IT needs an intervention.”

The beauty of dirlstr is its restraint. Where other tools might download everything “for evidence,” dirlstr just takes notes. It’s the difference between photographing a crime scene and taking home the silverware.

Want to follow Dina’s path? Here’s your breadcrumb trail:

# The polite probe (add common paths without hammering)
while read url; do
  for path in / /backup/ /uploads/ /tmp/ /logs/ /data/; do
    echo "${url}${path}"
  done
done < urls.txt | tee url-candidates.txt

# The scan (concurrent but respectful)
cat url-candidates.txt | dirlstr -c 40 | tee findings.txt

# The spot-check (verify one manually, for the skeptics)
curl -fsSL https://staging.corporate-corp.com/uploads/ | head -50

Dina’s disclosure email was a masterpiece of professional restraint. Where she wanted to write “YOUR ENTIRE DATABASE IS SHOWING,” she instead wrote:

Subject: Security Finding - Directory Listing Enabled

Dear Security Team,

During routine reconnaissance, I identified publicly accessible directory listings on multiple subdomains. No files were accessed or downloaded during this assessment.

Affected endpoints: [see attached]
Evidence: Directory indexes return file listings without authentication
Risk: Information disclosure, potential data exposure
Remediation: Disable directory indexing in web server configuration

Screenshots attached for verification. Happy to discuss remediation approaches.

Best regards,
Dina
P.S. - Please check /uploads/ first. Trust me on this one.

The response came in 12 minutes—a company record. The CISO’s reply was just: “Oh god. Fixing now. Thank you. How did we not know about this?”

Dina looked at Gerald. Gerald, being ceramic, offered no answers but excellent moral support.

By Friday, every directory listing was locked down. IT implemented a new policy: directory indexing disabled by default, monthly scans, and a swear jar specifically for whoever named files “final-FINAL-actuallyfinal.”

The lessons Dina carved into her notebook (and you should too):

  1. Reconnaissance is not intrusion. Looking at what’s publicly displayed isn’t breaking in—it’s quality assurance with commitment issues.
  2. Document everything, download nothing. Your evidence should fit in an email, not a data center.
  3. Automate with ethics. Your tools should be as polite as you’d be in person.
  4. Report fast, fix faster. Every hour an open directory exists is an hour someone less polite might find it.

Want the one-liner that started it all? Here:

echo "https://target.com/uploads/" | dirlstr -v

If it returns results, you’ve got work to do. If it doesn’t, try more paths. If Gerald starts talking back, you’ve been at this too long.

The real magic isn’t finding the vulnerabilities—it’s finding them first, reporting them properly, and sleeping soundly knowing you’ve made the internet slightly less terrible. Dina does this every Tuesday. Gerald approves, silently, as good mugs do.

Report template for the prepared:

Title: Directory Listing Information Disclosure
Asset: [URL]
Method: Automated directory listing detection via dirlstr
Evidence: [First 20 lines of listing]
Files observed: [Summary, no contents accessed]
Impact: Unintended information disclosure, potential sensitive data exposure
Fix: Add "Options -Indexes" to .htaccess or equivalent server config
Status: Awaiting remediation

Be like Dina. Find the problems. Report them kindly. Keep the internet slightly less horrifying than you found it. Gerald believes in you.