Hacking web servers
Web server
- System used for storing, processing, and delivering websites
- Hosts web applications, allowing clients to access those applications
- Implements client-server model architecture where client can be e.g. a browser or an API.
Web server concepts
- Document root
- Root directory of servable documents
- E.g. HTML, JS, image files...
- Server root
- Root directory of all the code that implements the server.
- Stores configuration, log, and executable files
- Virtual document tree
- Used when the original disk becomes full
- Located sometimes on different disk, possibly on a different machine
- Virtual hosting is multiple sites on a single server
- Web proxy
- Also known as HTTP proxy
- Server placed between the client and server
- All requests coming from the client go through the proxy to the server
- instead of directly going to the server
- Open-source Web Server Architecture
- Typically uses
- Linux as an OS
- Apache as a web server
- MySQL as a database
- PHP (LAMP) as principal components.
- Typically uses
- Internet Information Service (IIS)
- Web server application developed for Windows Server
Web server hacking methodology
- Information gathering e.g.:
- Acquiring
robots.txt
to see directories/files that are hidden from web crawlers. - Internet searches, WHOIS
- 📝 Testing HTTP methods
- Checks for
GET
,HEAD
,POST
,OPTIONS
,DELETE
,PUT
,CONNECT
,TRACE
- Risky methods are
DELETE
,PUT
,CONNECT
,TRACE
and should be disabled nmap --script http-methods <target>
- Checks for
- Acquiring
- Footprinting
- E.g.
- List email addresses:
nmap --script http-google-email
- Enumerate common web apps
nmap --script http-enum -p80
- List email addresses:
- Tools: Netcraft, HTTPRecon, ID Serve, HTTPrint, Nmap
- See also Banner grabbing
- E.g.
- Mirror the target website to browse it offline
- Tools: • Wget • BlackWidow • HTTrack • WebCopier Pro • Web Ripper • SurfOffline
- Discover vulnerabilities using e.g.:
- 📝 Nikto
- Web-server scanner focusing on • misconfigurations • outdated/insecure files
- Read more in Vulnerability analysis | Nikto
- Metasploit
- Find, exploit and validate vulnerabilities
- 📝 Nikto
- Perform session hijacking and password cracking attacks
Web server hacking tools
- Wfetch: Microsoft tool to customize and send HTTP requests
- THC Hydra: login cracker which supports numerous protocols to attack
- HULK DoS: DoSer
- w3af: web application security scanner
- Metasploit: Penetration testing suit
Web server hacking countermeasures
- Patch and update server regularly
- Encrypt the traffic.
- Enforce code access security policy
- Monitor logs
- Use website change detection system
- Check server files with hash comparison and alert if any modifications has happened.
- Filter traffic to SSH server
- Default passwords and unused default accounts should be changed and disabled respectively.
Place web servers securely
- Place web servers in separate secure server security segment on network
- Recommend to have three layered web application network: Internet, DMZ, internal
- Place web servers in DMZ zone isolated from public network as well as internal network.
- Each layer should have its own firewalls
Securing ports
- Audit the ports regularly
- Disabling insecure and unnecessary ports.
- Use Port 443 HTTPS over port 80 HTTP.
Using certificates
- Ensure validity of certificate data ranges and certificate's public key
- See also Digital certificate | Cryptography
Securing IIS
- Securing your web server | Microsoft docs
Machine.config
- Disable tracing (
<trace enable="false"/>
) - Turn off debug compiles.
- Disable tracing (
- 📝 Remove unnecessary ISAPI extensions and filters
- Allows custom Web Request handling
- Exploited heavily by attackers in the past.