Skip to main content
Version: 1.0.2

Hacking web servers

Web server

  • System used for storing, processing, and delivering websites
  • Hosts web applications, allowing clients to access those applications
  • Implements client-server model architecture where client can be e.g. a browser or an API.

Web server concepts

  • Document root
    • Root directory of servable documents
    • E.g. HTML, JS, image files...
  • Server root
    • Root directory of all the code that implements the server.
    • Stores configuration, log, and executable files
  • Virtual document tree
    • Used when the original disk becomes full
    • Located sometimes on different disk, possibly on a different machine
  • Virtual hosting is multiple sites on a single server
  • Web proxy
    • Also known as HTTP proxy
    • Server placed between the client and server
    • All requests coming from the client go through the proxy to the server
      • instead of directly going to the server
  • Open-source Web Server Architecture
    • Typically uses
      • Linux as an OS
      • Apache as a web server
      • MySQL as a database
      • PHP (LAMP) as principal components.
  • Internet Information Service (IIS)
    • Web server application developed for Windows Server

Web server hacking methodology

  1. Information gathering e.g.:
    • Acquiring robots.txt to see directories/files that are hidden from web crawlers.
    • Internet searches, WHOIS
    • 📝 Testing HTTP methods
      • Checks for GET, HEAD, POST, OPTIONS, DELETE, PUT, CONNECT, TRACE
      • Risky methods are DELETE, PUT, CONNECT, TRACE and should be disabled
      • nmap --script http-methods <target>
  2. Footprinting
    • E.g.
      • List email addresses: nmap --script http-google-email
      • Enumerate common web apps nmap --script http-enum -p80
    • Tools: Netcraft, HTTPRecon, ID Serve, HTTPrint, Nmap
    • See also Banner grabbing
  3. Mirror the target website to browse it offline
    • Tools: • Wget • BlackWidow • HTTrack • WebCopier Pro • Web Ripper • SurfOffline
  4. Discover vulnerabilities using e.g.:
  5. Perform session hijacking and password cracking attacks

Web server hacking tools

  • Wfetch: Microsoft tool to customize and send HTTP requests
  • THC Hydra: login cracker which supports numerous protocols to attack
  • HULK DoS: DoSer
  • w3af: web application security scanner
  • Metasploit: Penetration testing suit

Web server hacking countermeasures

  • Patch and update server regularly
  • Encrypt the traffic.
  • Enforce code access security policy
  • Monitor logs
  • Use website change detection system
    • Check server files with hash comparison and alert if any modifications has happened.
  • Filter traffic to SSH server
  • Default passwords and unused default accounts should be changed and disabled respectively.

Place web servers securely

Securing ports

  • Audit the ports regularly
  • Disabling insecure and unnecessary ports.
  • Use Port 443 HTTPS over port 80 HTTP.

Using certificates

Securing IIS

  • Securing your web server | Microsoft docs
    • Machine.config
      • Disable tracing (<trace enable="false"/>)
      • Turn off debug compiles.
    • 📝 Remove unnecessary ISAPI extensions and filters
      • Allows custom Web Request handling
      • Exploited heavily by attackers in the past.