HACKING WEB SERVER

WHAT IS WEB SERVER

• A web server is software and hardware that uses HTTP and other
protocols to respond to client requests made over the World Wide Web.
Its main job is to display website content, such as text, images, videos
and applications, to users by storing, processing and delivering
webpages. Web servers are also used in web hosting, i.e., the hosting
of data for websites and web-based applications.
• Computers that host websites must have web server software to be able
to store, process and, most importantly, display web content, like
documents, images or videos.
• A web server usually refers to hardware and software working together.
 The web server hardware is connected to the internet and enables data
to be exchanged with other devices connected to the web. It is a
computer that stores web server software and other files related to a
website, such as Hypertext Markup Language (HTML) documents,
images and JavaScript files, and is installed with web server software.
The computer includes numerous components, including processor,
RAM, high-capacity storage drive, and one or more
network interface cards.
• Web server software controls how a user accesses hosted files. Its
primary function is to display the content of hosted websites on a user's
device, e.g., computer, smartphone, tablet, etc. The software is
accessed through the domain names of websites -- multiple domains
can be hosted on one web server -- and ensures the delivery of the
site's content to the requesting user.
• The web server understands web addresses, also known as URLs. Like
web server hardware, web server software is also composed of several
components. Also, most of them support and use HTTP to view
webpages. Besides HTTP, some web servers support Simple Mail
Transfer Protocol (SMTP) and File Transfer Protocol (FTP) for email, file
transfer and storage.
WHAT ARE WEB SERVERS USED FOR?

Web servers often come as part of a larger package of internet- and

intranet-related programs that are used for the following:
• Building and publishing webpages.

• Web hosting.

• Sending and receiving emails.

• Downloading requests for FTP files.

• Some web servers also provide platforms for developing

web applications, thus contributing to the growth of the web's global
infrastructure.
HOW WEB SERVERS WORKS

A web server receives requests from a browser (e.g., when you type a
URL), processes those requests, and sends back the requested
content, like web pages, images, or files. The process works like this:
1. Browser requests a page: The browser sends an HTTP request to the
web server.
2. Server processes the request: The server finds the requested content
or generates dynamic content.
3. Server responds: The server sends the content (like an HTML page)
back to the browser.
4. Browser displays the page: The browser renders the content for the
user to see.
A Simple Example:
1.You enter www.example.com in the browser.
2.The browser sends a request for the home page (/).
3.The web server looks up the requested page and finds the index.html file.
4.The server sends the content of index.html back to the browser.
5.The browser renders the page for you to view.
TYPES OF WEB SERVERS

•Apache HTTP Server (Apache)

•Popularity: One of the most widely used and established web servers.
•Features: Open-source, highly configurable, supports dynamic content
with modules (like PHP, Python).
•Best For: General-purpose web hosting, small to large-scale websites.

•Nginx
•Popularity: Known for its high performance and efficiency in handling concurrent requests.
•Features: Lightweight, can serve static content and act as a reverse proxy and load balancer.
•Best For: High-traffic websites, often used in combination with Apache for better performance.
Microsoft Internet Information Services (IIS)
• Popularity: Common in Windows-based environments, especially
for .NET applications.
• Features: Seamless integration with Windows OS, supports ASP.NET,
and other Microsoft technologies.
• Best For: Enterprises and websites using Microsoft technologies.

Tomcat (Apache Tomcat)

• Overview: A web server and servlet container for Java-based
applications.
• Features: Specializes in running Java Servlets and JavaServer Pages
(JSP). Often used to serve dynamic Java applications.
• Best For: Java-based web applications.
WEB SERVER ATTACKS

File Upload Vulnerabilities

• Description: Attackers upload malicious files (e.g., web shells or executable
files) to the server by exploiting improperly secured file upload functionality.
• Impact: The attacker can execute the malicious file on the server,
potentially gaining control over it.
• Example: An attacker uploading a PHP shell script disguised as an image
file and executing it on the server to gain remote access.
Privilege Escalation
• Description: Attackers exploit vulnerabilities in the web server or application
to elevate their privileges (e.g., from a regular user to an admin) to gain
more control.
• Impact: Unauthorized access to sensitive areas of the application or server.
• Example: Exploiting a bug in an admin panel to elevate the user’s role from
a regular user to an administrator.
Session Hijacking
• Description: An attacker steals or predicts a valid web session to
impersonate a legitimate user and gain access to their account or
private data.
• Impact: Account takeover, unauthorized actions performed on behalf of
the user.
• Example: Capturing session cookies (e.g., via XSS or MITM) and using
them to log into a user’s account without their knowledge.
Brute Force Attacks
• Description: Attackers systematically try multiple password combinations
until they find the correct one. This can be done against server login
panels or admin interfaces.
• Impact: Unauthorized access to accounts or administrative interfaces,
leading to full access to server settings or databases.
• Example: Repeated attempts to guess a user’s password on a login
page using automated tools.
Remote File Inclusion (RFI) and Local File Inclusion (LFI)
•Description: In RFI, an attacker includes files from remote servers in the web application,
while in LFI, they include local files on the server.
• Both can lead to code execution or information leakage.
•Impact: Potential execution of malicious code on the server, or exposure of sensitive system files.
•Example: http://example.com/page.php?file=../../../../etc/passwd could expose sensitive system files.

Cross-Site Scripting (XSS)

• Description: XSS occurs when an attacker injects malicious scripts (usually JavaScript) into web pages
that are then executed by a user’s browser.
• Impact: Theft of sensitive data like cookies, session tokens, or personal information, and possible
redirection to malicious websites.
• Example: An attacker injecting a malicious script into a comment section on a website, which is then
executed when other users view the comment.
Denial of Service (DoS) / Distributed Denial of Service (DDoS)
• Description: A DoS attack floods the web server with a massive amount of traffic, causing it to
become slow or unavailable. A DDoS attack involves multiple systems coordinating to attack
the server, making it harder to block.
• Impact: Server overload, causing service outages or degraded performance.
• Example: Botnets sending massive amounts of traffic to overwhelm the server’s bandwidth.

Unpatched Software (Outdated Versions)

• Description: Running an outdated version of a web server or associated software (like plugins,
modules, or frameworks) can leave the server exposed to known vulnerabilities.
• Risk: Exploiting known vulnerabilities in outdated software allows attackers to gain
unauthorized access, execute arbitrary code, or disrupt service.
• Mitigation: Regularly update the web server and associated software to the latest, stable
versions.
Directory Traversal
•Description: This occurs when an attacker is able to access files and directories outside the
web server's intended root directory, typically by manipulating file paths.
•Risk: Attackers can access sensitive system files or configuration files (e.g., /etc/passwd on Unix-based systems).
•Mitigation: Properly sanitize user inputs and avoid exposing file system paths in URLs.

Weak Authentication and Session Management

• Description: If a web server has weak authentication mechanisms (e.g., using weak passwords or no session expira
attackers can exploit this to hijack user sessions or gain unauthorized access.
• Risk: Attackers can impersonate users, steal sensitive data, or perform unauthorized actions.
• Mitigation: Enforce strong passwords, use multi-factor authentication (MFA), and properly
manage session timeouts and tokens.
WEB SERVER VULNERABILITIES

1.Outdated Software
•Method of Exploitation: Attackers exploit known vulnerabilities in older versions of
• web servers or associated software.
•Example: An attacker exploits an unpatched vulnerability in an old version
• of Apache to execute arbitrary code.
•Mitigation: Regularly update the web server and all software to the latest
•stable versions. Apply security patches promptly.

2. SQL Injection (SQLi)

•Method of Exploitation: Attackers insert malicious SQL queries into input fields
•(e.g., login forms, search boxes) to manipulate the database.
•Example: http://example.com/login?user=admin' OR 1=1 -- allows the attacker to bypass authentic
•Mitigation: Use prepared statements or parameterized queries to handle user input safely.
•Implement input validation and sanitize user inputs.
File Inclusion (LFI/RFI)
•Method of Exploitation: Attackers manipulate file path input to
• include local (LFI) or remote (RFI) files, potentially executing malicious code.
•Example: http://example.com/view?file=../../../../etc/passwd to read sensitive server files.
•Mitigation: Avoid using user input directly in file paths. Use whitelisting
• of allowable files and disable URL file inclusion.
Cross-Site Scripting (XSS)
•Method of Exploitation: Attackers inject malicious JavaScript into web pages that
• execute in a victim’s browser when they view the page.
•Example: <script>alert('XSS Attack');</script> injected into a comment section.
•Mitigation: Sanitize user input, use Content Security Policy (CSP) headers, and encode
• output data to prevent scripts from being executed

Insecure Communication (HTTP Instead of HTTPS)

• Method of Exploitation: Attackers intercept data transmitted over unencrypted HTTP connections
(Man-in-the-Middle attacks).
• Example: Intercepting a login request over HTTP and stealing user credentials.
• Mitigation: Enforce HTTPS (SSL/TLS) for all communications. Redirect HTTP to HTTPS using
HTTP Strict Transport Security (HSTS).
WEB SERVER HARDENING

Web server hardening refers to the process of securing a web server by

reducing its attack surface and mitigating risks. This involves
implementing security best practices to ensure that the server is
protected against common vulnerabilities and attacks. Here are the
essential web server hardening techniques:
1. Keep Software and Patches Up-to-Date
• Why: Unpatched vulnerabilities are a significant entry point for attackers.
• How: Regularly update the web server software (e.g., Apache, Nginx,
IIS) and other associated applications (e.g., PHP, database software) to
the latest stable versions. Apply security patches as soon as they are
released.
2. Use Strong Authentication
• Why: Weak or default authentication mechanisms are easy targets for
attackers.
• How:
• Enforce strong password policies (e.g., minimum length,
complexity).
• Use multi-factor authentication (MFA) for accessing sensitive areas
(such as server management interfaces).
• Remove default usernames and passwords (e.g., "admin" or
"root").
3. Restrict Permissions
• Why: Improper file or directory permissions can allow attackers to
access sensitive data or execute malicious code.
• How:
• Apply principle of least privilege: Only grant users and services the
permissions they absolutely need.
• Restrict write access to directories that don’t need it (e.g.,
application code or logs should not be writable by public users).
4. Implement Secure Communication (Use HTTPS)
• Why: Data transmitted over HTTP is vulnerable to interception (e.g.,
man-in-the-middle attacks).
• How:
• Enforce HTTPS (SSL/TLS) for all traffic.
• Use strong encryption protocols (TLS 1.2 or higher) and disable
outdated ones (e.g., SSL 2.0/3.0, TLS 1.0).
• Implement HTTP Strict Transport Security (HSTS) to enforce
HTTPS.
5. Configure Web Application Firewalls (WAF)
• Why: A WAF filters and monitors HTTP requests to block malicious
traffic before it reaches the server.
• How:
• Use a WAF (e.g., ModSecurity for Apache, Cloudflare, or AWS
WAF).
• Set up custom rules to block common attack patterns such as SQL
injection, XSS, and CSRF.
6. Configure Firewalls and Intrusion Prevention Systems (IPS)
• Why: A firewall limits traffic to authorized IP addresses and ports,
reducing exposure to attackers.
• How:
• Use network firewalls to limit access to critical services like SSH
and HTTP/HTTPS only to trusted IPs.
• Set up IPS to detect and block suspicious traffic in real-time.
• Consider using cloud-based firewalls for DDoS protection.
7. Regular Security Audits
• Why: Security vulnerabilities evolve, so periodic audits help identify and
fix potential weaknesses.
• How:
• Regularly audit your web server's configuration, permissions, and
security settings.
• Conduct vulnerability scans and penetration testing on the server
to identify new threats.
8. Backup and Disaster Recovery
• Why: In case of a breach, having backups ensures you can restore your
system.
• How:
• Regularly back up critical data and configurations.
• Store backups securely, ideally offsite or encrypted.
• Test backup and recovery processes to ensure they work during
emergencies.
9. Limit Resource Usage
• Why: Attackers can overload a server by consuming excessive
resources, leading to a denial of service.
• How:
• Implement rate limiting and request throttling to prevent abuse.
• Limit the number of simultaneous connections from a single IP or
user.
• Use resource control settings (e.g., memory limits, CPU limits) to
prevent resource exhaustion.