CISSP · Question #1043
A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?
The correct answer is A. Security misconfiguration. Explanation Security misconfiguration (A) is correct because unprotected directories result from improperly configured web server settings - such as failing to disable directory listing, leaving default permissions in place, or neglecting to restrict access to sensitive folders.
Question
A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?
Options
- ASecurity misconfiguration
- BCross-site request forgery (CSRF)
- CStructured Query Language injection (SQLi)
- DBroken authentication management
How the community answered
(22 responses)- A86% (19)
- C5% (1)
- D9% (2)
Explanation
Explanation
Security misconfiguration (A) is correct because unprotected directories result from improperly configured web server settings - such as failing to disable directory listing, leaving default permissions in place, or neglecting to restrict access to sensitive folders. This is a classic example of a misconfigured environment exposing resources that should be hidden or restricted.
CSRF (B) is wrong because it involves tricking an authenticated user into unknowingly submitting malicious requests - it does not relate to exposing server directories.
SQLi (C) is wrong because SQL injection targets database queries through manipulated input fields, not web server directory structures.
Broken authentication (D) is wrong because that vulnerability involves flaws in login mechanisms, session tokens, or credential management - not directory-level access controls.
Memory Tip: Think of security misconfiguration as the "someone left the door unlocked" vulnerability - no exploit needed, just poor setup. If the attack requires no clever technique and simply involves accessing something that should have been locked down, think misconfiguration first.
Topics
Community Discussion
No community discussion yet for this question.