One of the projects I am working on is running in a new httpserver instance. One of the things that I have discovered is that many of the things that we put in place regarding web site security need to be recreated in this new application.

As a matter of course, I went to check if it was possible to get a directory listing of the images directory. I was able to do so. Looking at the structure of the site, I was able to get directory listing of all subdirectories in the site. I needed to discuss with the developers why this is not a good idea. Tonight, I came across the following link that describes why this is a threat: [Directory Indexing] Threat Classification – Web Application Security Consortium