A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

Directory listing vulnerabilities leak a complete index of all of the resources located in that directory. These vulnerabilities can result in exposure of files that should remain hidden, such as data files, backed-up source code, or applications in development. Unrestricted access to files containing sensitive information can aid further attacks against the application.
Directory listing vulnerabilities can be caused by:
1. Poor default configuration

In the absence of a default directory file, server configuration enables directory listing by default. In addition, the following configuration and setup examples might reveal directory contents to attackers:
Example 1: In many default configurations, certain modules installed on the server (e.g. mod_autoindex module for Apache HTTP Server) can enable directory listing to be obtained from the server even if index files exist and server directory listings configuration is disabled.
Example 2: Enabling services like WEBDAV on IIS server might also lead to exposure of directory contents. With the PROPFIND method, it might be possible to browse and list the contents of directories, even if a default directory file (such as "default.htm") exists.
Example 3: In its default configuration, Netscape Enterprise Server has a feature called "Directory Indexing" turned on. When directory listing is enabled, the server returns directory listings to web users.
2. Input Validation
Failure to validate user supplied data can cause directory listing vulnerabilities in servers and applications. Attackers can manipulate filenames and paths in the request URI to gain access to directory contents.
Example 4: JRun: A remote attacker can send a URL request appended with '%3f.jsp' to the server and gain access to the web root directory.
Example 5: BadBlue Webserver: Sending a request with % appended to the path causes the server to disclose the directory contents.
Example 6: Tomcat: Allows attackers to obtain complete directory listings by making a request containing a null byte.
Example 7: WebSTAR: The default installation contains a sample script that attackers can use to gain a directory listing of any directory on the server. Passing an asterisk (*) in the query string and appending it to the target directory path causes the script to disclose directory contents.
3. Encoding
Failure to properly handle requests containing encoded special characters can result in directory listing vulnerabilities
Example 8: Attackers can view the contents of web directories by requesting certain encoded characters. By appending certain characters to a request for a directory, an attacker can "break" the mechanism a server uses to determine whether a request is for a directory or not and thus give a full directory listing.
Example 9: Appending an encoded null-byte to the directory name can reveal directory contents.
4. Traversal vulnerabilities
Failure to validate paths to requested directories can allow attackers to gain access to arbitrary directory contents through traversal attacks.
Example 1: /../examples//WEB-INF/../../../../
5. Access Control error
Exposure of sample or test scripts or administrative interfaces can allow attackers to browse contents of arbitrary directories.

Severe information disclosure vulnerabilities can occur when the following file categories are left unprotected on the server:
- Password files
- User data files
- Database files
- Application management files
- Installation and setup files

Example 1:Successful enumeration of any of these files indicates a severe information disclosure vulnerability password.dbf, password.lst, admin.pw, customers.dbf, user.dat, site_mgmt.html, admin.conf

Failure to block unwanted network traffic expands a cloud service's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by malicious entities.

Failure to block unwanted network traffic expands a cloud service's attack surface. Services open to interaction with the public are subjected to almost continuous scanning and probing by malicious entities.

By default, Terraform deploys a Google Cloud SQL Database instance that only accepts connections from private IP addresses. Optional Authorized Networks settings define acceptable ranges of public IP addresses.

Example 1: The following Terraform configuration sets value to 0.0.0.0/0 in the authorized_networks block. A CIDR block of /0 accepts connections from any IP address between 0.0.0.0 and 255.255.255.255.

resource "google_sql_database_instance" "db-demo" {
  ...
  settings {
  ...
    ip_configuration {
    ...
      authorized_networks {
        name  = "any ip"
        value = "0.0.0.0/0"
      }
    ...
    }
    ...
  }
  ...
}