Chapter 17. Attacking the Web Server
As with any kind of application, a web application is dependent on the other layers of the technology stack that support it, including the web server, operating system, and networking infrastructure. Any of these components may be targeted by an attacker, and compromising the technology on which an application depends will very often enable an attacker to fully compromise the application itself.
Most attacks in this category are outside the scope of a book about attacking web applications. One exception to this is attacks that target the web server layer. The web server is intimately tied up with the application that runs on it, and defects within a web server can often be used to attack the application directly, rather than indirectly, by first compromising the underlying host.
This chapter focuses on ways of leveraging defects at the web server layer to attack the web application running on it. The vulnerabilities that you can exploit to attack web servers fall into two broad categories: shortcomings in the server's configuration and security flaws within the web server software.
Vulnerable Web Server Configuration
Even the simplest of web servers comes with a wealth of configuration options that control its behavior. Historically, many servers have shipped with insecure default options, which present opportunities for attack unless they are explicitly hardened.
Default Credentials
Many web servers contain administrative interfaces that may be publicly ...
Get The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.