TABLE OF CONTENTS This chapter covers port 80. A responsive port 80 (or 443) raises several questions for attackers and penetration testers:
Can I compromise the Web server due to vulnerabilities on the server daemon itself?
Can I compromise the Web server due to its un-hardened state?
Can I compromise the application running on the Web server due to vulnerabilities within the application?
Can I compromise the Web server due to vulnerabilities within the application?
This chapter explains how a penetration tester would most likely answer each of the above questions.
Attacking or assessing companies over the Internet has grown over the past few years, from assessing a multitude of services to assessing just a handful. It is rare today to find an exposed world readable Network File Server (NFS) share on a host or on an exposed vulnerability (fingerd). Network administrators have long known the joys of "default deny rule bases," and vendors no longer leave publicly disclosed bugs un-patched on public networks for months. Chances are when you are on a server on the Internet you are using Hypertext Transfer Protocol (HTTP). Netcraft (http://www.netcraft.com) maintains that 70% of the servers visible on the Internet today are Web servers, with a plethora of services being added on top of the HTTP.
For as along as there have been Web servers there have been security vulnerabilities. And as superfluous services have been shut down, security vulnerabilities have become the focal point of attacks. The once fragmented...
