This chapter covers web server assessment. Web servers are very common, requiring a high level of security assurance due to their public nature. Here I discuss the techniques and tools used to test accessible HTTP and HTTPS services, along with their enabled components and subsystems. Testing of custom web applications and scripts that run on top of accessible web servers is covered in the next chapter.
Assessment of various web servers and subsystems can fill its own book. Web services are presented over HTTP, and SSL-wrapped HTTPS, found running by default on TCP ports 80 and 443, respectively.
Comprehensive testing of web services involves the following steps:
Fingerprinting the web server
Identifying and assessing reverse proxy mechanisms
Enumerating virtual hosts and web sites running on the web server
Identifying subsystems and enabled components
Investigating known vulnerabilities in the web server and enabled components
Crawling accessible web sites to identify files and directories of interest
Brute-force password grinding against accessible authentication mechanisms
Nowadays, many corporate web sites and applications are presented
through reverse proxy layers, and so steps 2 and 3 are very important,
as sometimes you will find that different virtual hosts use different
server-side features and subsystems. It is often the case that you must
provide a valid HTTP
Host: field when connecting to a web server to even fingerprint or query the ...