Web Server Penetration Testing Checklist For Penetration Tester

Web Server Penetration testing is the execution of testing a computer system, network or web application to find the system is vulnerable or not so that remote attackers can easily attack. A web server security test focus only on evaluating the security of web application. The process involves an analysis of the application of any weakness, technical flaws or vulnerabilities.

Testing of a web server is performed under 3 major categories which are identified, Analysis of web server applications, Report Vulnerabilities such as authentication Weakness, configuration error, and protocol relation vulnerabilities.

Web server Penetration testing process includes

  • ”Conduct a serial of repeatable test” perform a test with different applications along with work of web server to check vulnerabilities in the network.
  •  Conduct a search engine for information leakage to perform different test such as network diagrams, emails by administrators, error message content, staging versions of a website.
  • ”Collect as much as information” from the main operating environment to concentrate on initial stage for web server pen testing.
  • Use the different advance site for collecting information. Perform all the collection of information from the initial stage of working of a web server.
  • Use different tools to perform authentication testing such as Social engineering, phishing to collect information about details related to social related, Human Resources, contact details.
  •   Collecting information about the target by using different tools such as whois Database query tools to get the details such as domain name, IP address, Administrative details, DNS, Autonomous system number etc.

A few days back a new impressive BlackArch Linux distros for penetration tester has been released. It has a compatible rolling distribution which is more simple to use for pentesters.


Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:

  • Cross-site scripting
  • SQL injection
  • Ajax testing
  • File inclusion
  • “Finger Print web server” critical task for the Penetration tester, Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing.  use fingerprint scanning tool such as ID serve, Netcraft, HTTPrecon.
  •  To gather information about web pages, such as email addresses use Crawl Website it gives all the information in detail about each website you can also use web server scanner to get information about website in web server.
  • Enumerate web server Directorieslinked with files to extract important information about web functionalities, login forms etc.
  •  “Directory traversal attack”
    Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an  HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
  • Performing vulnerability scanning to identify the weakness in the network use the vulnerability scanning tools such as HPwebinspect, Nessus, and determine if the system can be exploited.
  • “Cache poisoning attack” The success of a cache poisoning attack relies on the existence of exploitable vulnerabilities in DNS software. Once an attacker has sent a forged DNS response, the corrupt data provided by the attacker gets cached by the real DNS name server.
  • Performing HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.
  • Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access.
  • ”MITM(Man in the middle attack)” is the attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
  • Session Hijacking to capture valid session cookies and ID’s tools such as Burp Suite, Firesheep, hijack automated session hijacking.
  • Use tools such as Webalizer, AWStats to examine the web server logs.
CORE Impact Pro

Core impact is the most comprehensive solution for assessing and testing security vulnerabilities throughout your web server organization.

Core Impact is the only solution that empowers you to replicate attacks that pivot across systems, devices, and applications, revealing how chains of exploitable vulnerabilities open paths to your organization’s mission-critical systems and data.

Core impact pro is the software solution for assessing and testing the vulnerabilities on the organization’s web servers, Network system ’s, Endpoint systems, wireless networks, network devices, Mobile devices, IDS/ IPS.

Comprehensive checklist suggested by Microsoft
  • Unnecessary Windows services are disabled.
  • Services are running with least-privileged accounts.
  • FTP, SMTP, and NNTP services are disabled if they are not required.
  • WebDAV is disabled if not required.
  • TCP/IP stack is hardened
  • NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).
  • Unused accounts are removed from the server.
  • Guest account is disabled.
  • IUSR_MACHINE account is disabled if it is not used by the application.
  • Strong account and password policies are enforced for the server.
  • Remote logins are restricted.
  • Accounts are not shared among administrators.
  • Null sessions (anonymous logins) are disabled.
  • Approval is required for account delegation.
  • Users and administrators do not share accounts.
  • No more than two accounts exist in the Administrators group.
  • Administrators are required to log on locally OR the remote administration solution is secure.
  • Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)
  • Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.
Files and Directories
  • Files and directories are contained on NTFS volumes
  • Website content is located on a non-system NTFS volume.
  • Log files are located on a non-system NTFS volume and not on the same volume where the Website content resides.
  • Every group is restricted (no access to \WINNT\system32 or Web directories).
  • Website root directory has denied write ACE for anonymous Internet accounts.
  • Content directories have denied write ACE for anonymous Internet accounts.
  • Remote  administration application is removed
  • Resource kit tools, utilities, and SDKs are removed.
  • Sample applications are removed
  • Remote registry access is restricted.
  • SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).
Server Certificates
  • Ensure certificate date ranges are valid.
  • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).
  • Ensure the certificate’s public key is valid, all the way to a trusted root authority.
  • Confirm that the certificate has not been revoked.


Ashwini Gurne

Ashwini Gurne is a software developer and also a contributor for Security leaks. As a contributor, her aim is to work on latest technologies and to spread cyber awareness among general public.

Leave a Reply

Your email address will not be published. Required fields are marked *