nerdexam
(ISC)2

CISSP · Question #1043

A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?

The correct answer is A. Security misconfiguration. Explanation Security misconfiguration (A) is correct because unprotected directories result from improperly configured web server settings - such as failing to disable directory listing, leaving default permissions in place, or neglecting to restrict access to sensitive folders.

Submitted by ricky.ec· Mar 5, 2026Asset Security

Question

A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?

Options

  • ASecurity misconfiguration
  • BCross-site request forgery (CSRF)
  • CStructured Query Language injection (SQLi)
  • DBroken authentication management

How the community answered

(22 responses)
  • A
    86% (19)
  • C
    5% (1)
  • D
    9% (2)

Explanation

Explanation

Security misconfiguration (A) is correct because unprotected directories result from improperly configured web server settings - such as failing to disable directory listing, leaving default permissions in place, or neglecting to restrict access to sensitive folders. This is a classic example of a misconfigured environment exposing resources that should be hidden or restricted.

CSRF (B) is wrong because it involves tricking an authenticated user into unknowingly submitting malicious requests - it does not relate to exposing server directories.

SQLi (C) is wrong because SQL injection targets database queries through manipulated input fields, not web server directory structures.

Broken authentication (D) is wrong because that vulnerability involves flaws in login mechanisms, session tokens, or credential management - not directory-level access controls.

Memory Tip: Think of security misconfiguration as the "someone left the door unlocked" vulnerability - no exploit needed, just poor setup. If the attack requires no clever technique and simply involves accessing something that should have been locked down, think misconfiguration first.

Topics

#Web server security#Security misconfiguration#Information disclosure#Directory traversal/listing

Community Discussion

No community discussion yet for this question.

Full CISSP Practice