Directory Indexing takes advantage of insecure indexing to expose confidential data on a site. A misconfigured server can show a directory listing, which potentially yields sensitive information to an attacker. Indexing site contents via a process that has access to files not destined for consumption has the potential to leak information about the existence of such files, and also about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine.
Web administrators often assume if there are no hyperlinks to these documents, no one will be able to find them. But today’s vulnerability scanners can dynamically add additional directories/files to include in their scans based on data obtained in initial probes. Directory Indexing will then allow a leak that supplies an attacker with the information needed to launch further attacks against the system.