Web server pen checks under 3 key identity class, review, document vulnerability, configuration error, protocol relationship vulnerabilities, etc.
1. “The best way of testing the web server along with the various vulnerabilities is to perform a series of methodical and repeatable tests.”
2. “Collecting as a Much as Information” about an organization The main area to focus on in the initial stage of Web server pen testing is the operating environment.
3. Web server authentication testing; Social engineering techniques are used to collect human resources information; details; and other social information.
4. Gathering target information, using who is database query tools for obtaining the details like domain name, IP address, management details, autonomous system number, DNS, etc
5. Fingerprint web servers for collecting information, such as database title, server sort, operating systems, browser-based software, etc., use fingerprint scanning tools such as Netcraft, HTTPrecon, ID Server.
6. Crawl Website for the selection of Web pages with specific information, e.g. email addresses
7. List webserver directories to obtain important web functionality information, forms, etc.
8. Perform a Cross-directory Attack to access Limited Directories and execute the command from the root directories of the Web server.
9. Vulnerability scans to find network weakness using vulnerability scanning software such as HPwebinspect, Nessus. and decide whether the program can be used.
10. We execute cache poisoning attacks, which causes the webserver cache to flush the actual contents of its cache and send a specific request that is stored in the cache.
11. HTTP response split attack for ing malicious information to a compromised request that includes data in an HTTP response header.
12. SSH, FTP, and other credentials for Bruteforce to gain unauthorized access.
13. Hijacking session to grab valid client cookies and IDs, use tools like Burb Suite, Fire Sheep, hijack for automated session retrieval.
14. MITM attacks to control sensitive information by intercepting communication alterations between end-s and web servers.
15. Using internet rs and AWStats to test the web server logs.
Important checklist Microsoft suggested
Services
- Windows services that are unnecessary are deactivated.
- Products with low-privileged s are going.
- If the services FTP, SMTP, and NNTP are not required, they will be disabled.
- Operation Telnet is disabled.
Protocols
- WebDAV is deactivated if the OR software is not used, if necessary it is protected.
- NetBIOS hardened T / IP stack is disabled and SMB (close ports 137, 138, 139 and 445) are disabled.
s
-
- Unused server s were deleted.
- The for visitors is disabled.
- If the application is not used, the IUSR MACHINE is disabled.
- If anonymous access is needed to your applications, a custom anonymous is created.
- The anonymous has no write access and does not execute command-line tools to the Web content directories.
- Clear database and procedures are enforced.
- Remote connections are minimal. (The ’s right to access this network computer is removed from the Everyone group.) s are not shared between s.
- Null sessions are disabled (anonymous logons).
- Approval is required for the delegation of s.
- s and managers do not share s.
- In the s group, there are no more than two s.
- s must log on locally OR the remote management solution is secure.
Files and Directories
-
- The NTFS volumes contain files and directories. The contents of the website are stored on the non-system volume NTFS.
- Log files are stored in an NTFS volume and not on the same volume where the content of the website resides.
- The group Everyone (no access to \WINNT\system32 or web directories) is restricted.
The root website directory has refused to write ACE for Internet anonymous s. - Data servers denied ACE writing to Internet anonymous s.
- Remote application management is deleted. Tools, utilities, and SDKs are removed from the resource kit.
- Sample applications are deleted. Any unwanted shares (including default management shares) are excluded.
- Access to the necessary shares is limited (Everyone group has no access).
- istrative shares (C$ and $) will be excluded when not requested (the shares include Microsoft Management System (SMS) and Microsoft Operations Manager (MOM).
Ports
-
- Internet interfaces are limited to ports 80 (and 443 when using SSL).
- Intranet traffic is encrypted (e.g. with SSL) or restricted if the data center infrastructures are not secure.
Registry
-
- Access to the remote registry is limited.
- The SAM (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash) is safe.
Checking and reporting
-
- Failed attempts at logon are audited.
- Relocated and protected IIS log files.
- According to the application security requirements, log files are configured with a suitable size.
- Log files are archived and reviewed periodically.
- Metabase.bin file access is audited.
- IIS is designed for the auditing of the W3C Extended log file format.
Certificates of Server
-
- Ensure the date ranges of the certificate are correct.
- Use only certificates for their intended purposes (server certificates are not used for e-mail, for example).
- Ensure that the public key of the certificate is valid, to a trusted root authority.
- Confirm that the certificate was not withdrawn.
