Things You Should Do | Web Server Penetration Testing

Web server pen-testing performing under 3 noteworthy classification which is Identity, Analyze, Report Vulnerabilities, for example, verification shortcoming, error in configuration, protocols Relation vulnerabilities.


  1. " Do a sequential of precise and Repeatable tests " is the most ideal approach to test the webserver alongside this to work through the majority of the distinctive application Vulnerabilities.

  2. " Gathering as Much as Information " around an association Ranging from activity condition is the primary zone to focus on the underlying phase of web server Pen testing.

  3. Performing web server Authentication Testing, utilize Social designing methods to gather the data about the Human Resources, Contact Details and other Social Related data.

  4. Social affair Information about the Target, use whois database inquiry instruments to get the Details, for example, Domain name, IP address, Administrative Details, Autonomous system number, DNS and so forth.

  5. Unique finger impression webserver to assemble data, for example, server name, server type, working frameworks, an application running on the server and so forth use unique mark filtering instruments, for example, Netcraft, HTTPrecon, ID Serve.

  6. Crawl Website to assemble Specific data from site pages, for example, email addresses

  7. Count web server Directories to extricate critical data about web functionalities, login shapes and so forth.

  8. Perform Directory traversal Attack to get to Restricted Directories and execute the order from outside of the Web server root catalogues.

  9. Performing defenselessness filtering to recognize the shortcoming in the system utilize the powerlessness checking instruments, for example, HPwebinspect, Nessus . what’s more, decide whether the framework can be abused.

  10. Perform we reserve harming assault to constrain the web server’s store to flush its genuine reserve content and send an explicitly created demand which will be put away in the reserve.

  11. Performing HTTP reaction part assault to pass malevolent information to a defenceless application that incorporates the information in an HTTP reaction header.

  12. Brute force SSH, FTP, and different administrations login credential to increase the unapproved get to.

  13. Perform Man in the middle attack to catch legitimate session treats and ID’s, use instruments, for example, Burpsuite, Firesheep, hijack to mechanized session seizing.

  14. Performing MITM assault to get to the touchy data by blocking the modifying the correspondences between the end clients and web servers.

  15. Use apparatuses, for example, Webalizer, AWStats to inspect the web server logs.

Web Server To-do List:


•Unnecessary Windows administrations are debilitated.

•Services are running with least-advantaged accounts.

• FTP, SMTP and NNTP administrations are crippled on the off chance that they are not required.

•Telnet benefit is handicapped.


• TCP/IP stack is solidified.

• NetBIOS and SMB are incapacitated (closes ports 137, 138, 139, and 445).


•Unused accounts are expelled from the server.

•The guest account is incapacitated.

•IUSR_MACHINE account is incapacitated on the off chance that it isn’t utilized by the application.

•If your applications require mysterious access, a custom least-favoured unknown record is made.

•The unknown record does not have to compose access to Web content catalogues and can’t execute order line devices.

•Strong record and secret phrase strategies are implemented for the server.

•Remote logins are confined.

•Accounts are not shared among overseers.

•Null sessions (unknown logons) are crippled.

•Approval is required for record designation.

•Users and executives don’t share accounts.

•No multiple records exist in the Administrators gathering .

•Administrators are required to sign on locally OR the remote organization arrangement is secure.

File and Directories

• Files and registries are contained on NTFS volumes

• Web website content is situated on a non-framework NTFS volume.

• Log records are situated on a non-framework NTFS volume and not on a similar volume where the Web webpage content dwells.

• The Everyone aggregate is limited (no entrance to \WINNT\system32 or Web registries).

• Web website root catalogue has denied composing ACE for unknown Internet accounts.

• Content registries have denied composing ACE for mysterious Internet accounts.

• Remote organization application is expelled

• Resource unit apparatuses, utilities, and SDKs are evacuated.

• Sample applications are expelled

• All superfluous offers are expelled (counting default organization shares).

• Access to required offers is limited (the Everyone gather does not approach).

• Administrative offers (C$ and Admin$) are evacuated in the event that they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these offers).


• Internet-confronting interfaces are limited to port 80 (and 443 if SSL is utilized)

• Intranet traffic is scrambled (for instance, with SSL) or limited in the event that you don’t have a protected server farm framework.


• Remote library gets to is limited.

• SAM is anchored (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Inspecting and Logging

• Failed logon endeavours are inspected.

• IIS log documents are moved and anchored.

• Log documents are arranged with a proper size contingent upon the application security necessity.

• Log records are routinely chronicled and investigated.

• Access to the Metabase.bin record is reviewed.

• IIS is designed for W3C Extended log record to organize examining.

Server Certificates

• Ensure authentication date ranges are legitimate.

• Only use declarations for their expected reason (For instance, the server testament isn’t utilized for email).

• Ensure the declaration’s open key is substantial, the whole distance to a confided in root expert.

• Confirm that the declaration has not been denied.


1 Like
Friendly Websites