6.1 Web Server Attacks & Hardening
Key Takeaways
- A web server is the network-exposed software (Apache, Nginx, IIS) that serves HTTP/HTTPS content; the operating system, application runtime, and database behind it form the wider attack surface tested on CEH.
- Most real-world web server compromises trace back to misconfiguration, missing patches, default credentials, or unnecessary services rather than novel zero-day exploits.
- Directory traversal exploits insufficient path validation to read files outside the web root; the fix is canonicalize-then-validate plus a strict server-side allow-list, never blacklist filtering.
- Web Application Hacking is the single highest-weighted CEH web area, and tools such as Nmap, Nikto, and Burp Suite are used to fingerprint and probe the server before any exploit.
- Server hardening is layered: minimize the attack surface, patch on a schedule, remove default content, enforce least privilege for the service account, and suppress verbose banners and error messages.
Why Web Server Hacking Matters for CEH
Web Application Hacking is the single highest-weighted topic in both the CEH theory exam and the CEH practical, and the web server is where the attack begins. The web server is the only component a remote attacker can usually reach directly, so it absorbs the first wave of probing. CEH questions in this area are rarely about exotic exploits — they test whether you can connect an observed symptom (a leaked file, a default page, a verbose error, a /etc/passwd disclosure) to the underlying weakness and the correct countermeasure.
The defensive lesson is that the web server is a trust boundary: everything past it should treat the request as hostile.
Web Server Architecture
A modern web application is a stack of trust layers, not a single program. Understanding the layers tells you where a flaw lives and what a control can actually protect:
- Web server software — Apache HTTP Server, Nginx, or Microsoft Internet Information Services (IIS). It terminates HTTP/HTTPS, serves static files, and forwards dynamic requests to the runtime.
- Application runtime — the interpreter or framework (PHP, Java/Tomcat, .NET, Node.js) that executes business logic.
- Data tier — the database or object store the application reads and writes.
- Operating system — the host the whole stack runs on; a service-account compromise often pivots here to the rest of the network.
A flaw in any layer can become a full compromise, which is why CEH stresses defense in depth rather than a single control.
Reconnaissance Tools CEH Tests
Before exploiting a server, an ethical hacker fingerprints it. CEH expects you to match the tool to the task:
| Tool | Role against a web server |
|---|---|
Nmap (with -sV and the http-* NSE scripts) | Discover open ports, identify the server software and version |
| Nikto | Scan for known vulnerable files, default pages, outdated software, misconfigurations |
Netcat / curl | Manually grab the Server: banner and inspect raw HTTP responses |
| dirb / Gobuster / dirbuster | Brute-force hidden directories and files (admin panels, backups) |
| Burp Suite / OWASP ZAP | Intercepting proxy used to map and manipulate requests |
| Metasploit | Validate and demonstrate exploitation of a confirmed CVE |
How Web Servers Get Compromised
Real incidents overwhelmingly involve preventable conditions, not novel research:
- Misconfiguration — directory listing enabled, sample/admin apps left installed, overly permissive file permissions, debug mode on in production.
- Missing patches — a known Common Vulnerabilities and Exposures (CVE) in the server or a loaded module that was never updated.
- Default credentials — admin consoles or management interfaces left at vendor defaults.
- Information leakage — verbose
Server:banners, stack traces, and exposed.bak/.git/.envfiles that hand attackers a map. - Unnecessary services — extra modules, protocols, or virtual hosts that widen the attack surface for no business reason.
Directory Traversal (Path Traversal)
Directory traversal lets an attacker read or write files outside the intended web root by manipulating a file-path parameter so it walks up the directory tree (conceptually, using parent-directory ../ sequences). It happens because the application builds a filesystem path from untrusted input and then opens that path without validating where it actually resolves. The classic impact is disclosure of sensitive files such as configuration files or the system password file (/etc/passwd on Linux, boot.ini/SAM-related paths on Windows).
Illustrative, non-operational example of the flawed pattern (shown only to explain the fix): an application that does open(webroot + userInput) trusts userInput to stay inside webroot. It does not. Attackers also try encoded variants (%2e%2e%2f, double-encoding) to bypass naive filters — which is exactly why blacklist filtering fails.
Remediation (the part CEH rewards):
- Canonicalize then validate — resolve the final absolute path and confirm it is still inside the intended base directory before opening it.
- Allow-list, never blacklist — accept only known-good identifiers (e.g., a file ID that maps server-side to a path), instead of filtering bad characters.
- Run the service with least privilege so even a successful traversal cannot read files the web user should never touch.
- Disable directory listing and remove backup/source-control artifacts from the web root.
Server Hardening Checklist
| Hardening control | Weakness it removes |
|---|---|
| Apply vendor patches on a defined cadence; track CVEs for the server and every module | Exploitation of known vulnerabilities |
| Remove sample apps, default content, and unused modules/handlers | Default-install and unnecessary-service exposure |
| Change all default credentials; restrict management interfaces by network | Default-credential takeover |
| Suppress version banners; return generic error pages | Fingerprinting and information leakage |
| Run the service as a low-privilege, non-root account | Privilege escalation after a foothold |
| Enforce TLS, disable weak ciphers/protocols | Eavesdropping and downgrade attacks |
| Deploy a Web Application Firewall (WAF) as a compensating layer | Mass-scanned and known-pattern attacks |
Patch Management
Patch management is the disciplined process of inventorying assets, monitoring vendor and CVE advisories, testing fixes, and deploying them within a defined window. CEH frames it as a process, not a one-time task: an unpatched module is the single most common root cause of web server compromise, and a server is only as current as its least-maintained component. Defenders pair patching with continuous vulnerability scanning so a newly disclosed CVE is detected and remediated before an attacker weaponizes it.
A penetration tester retrieves the contents of a sensitive system configuration file by submitting a crafted value in a web application's file-download parameter. The file is well outside the application's web root. Which vulnerability class is this, and what is the strongest remediation?
Which web server condition most directly enables an attacker to fingerprint the exact server software and version so they can search for matching exploits?
An ethical hacker wants to enumerate a web server's open ports and identify the exact server software and version as a first step. Which tool is the best fit?