Author: Bill Ricardi
Reviewer: uTest

Apache is the most popular web server (also known as HTTPD) on the Unix and BSD platform. Among other services that IIS provides, it is also Microsoft's enterprise HTTPD suite. In order to fully comprehend what happens when you contact an Apache or IIS server, it is helpful to know their inner workings. However, that can take months or years of courses and experimentation.

Instead, the goal of this document is to quickly expose you to the key security concepts that will help you to test the integrity of these popular web servers. You're still going to have to do a lot of research in order to discover specific exploits of course, so here are the two main links that you'll need:

http://technet.microsoft.com/en-us/library/bb625087.aspx – Microsoft's IIS resource homepage.

http://httpd.apache.org/security/  - Apache's security archives.

HTTPD Patch Level

A common theme that you'll see in these security bulletins: Patch level means everything. As security experts find holes in software, developers race to patch them. The main way to leave your web server vulnerable to attack is to fall behind in your product updates. The older and less patched your HTTPD is, the more likely a hacker will find a way in.

When you perform an automated scan of a Microsoft web server, you will see that the main IIS version is based on the OS that they are running on, rather than major revision level. No matter how extensively an IIS product is changed from its original form, Windows 7 runs IIS 7.5; Windows 2008 Server and Vista run IIS 7.0; Windows Server 2003 and 64 bit XP Pro run IIS 6.0, 32 bit Windows XP Pro and Media Center run IIS 5.1, 2000 runs IIS 5.0, and NT 4 runs IIS 4.0. The numbers that come after that main IIS version number indicate the actual patch level. Microsoft maintains several simultaneous IIS platforms, only dropping them when the operating system that they were designed to run on becomes a legacy product.

When you visit our second link, you will see three Apache source trees. Apache version 1.3 is the oldest base, then 2.0, and the newest base is 2.2. Like Microsoft, the Apache project maintains their three code trees simultaneously. Reasons for running the older code base range from the processing power of the web server, to compatibility issues with the operating system and other software that they're running. Regardless of the reasons that a client might be running a particular version of Apache, each base and patch level has its own strengths and weaknesses.

The File-Application Correlation

You'll notice that automated scanners make a big deal over probing for specific files published in the HTTP directory. When it finds key files, the scanner might suggest which third party applications might be installed on the server, or they might just be pointed out as 'interesting'. You should manually confirm that the files exist, since the web server might be trying to throw false positives at you to waste your time.

Once you've confirmed that a certain web application is installed, you can start probing for vulnerabilities associated that program. The vast majority of security issues on a web server are because of third party software, rather than the version of the HTTPD itself. Often times, an old database, or a long forgotten installation of Lotus Domino, or a vulnerable PHP extension will be a server's downfall.

Educational Error Messages and Extra Information

Generating errors on a web server is an excellent way to discover more information about their basic configuration . For example, intentionally entering a nonsense web page will normally generate a 404 error screen. If it isn't configured properly, you might get a very verbose error message like this:

Not Found

The requested URL /en/Info.h was not found on this server.

Apache/2.2.8 (Ubuntu) DAV/2 PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g

You couldn't give away more information if you tried! OS version, Apache version, PHP and SSL versions. All on display for the world to see. Another way to get more information than you're normally entitled to is to see if the server generates Multiple Choice error pages (error code 300). For example:

Multiple Choices

The document name you requested (/webtools/jque) could not be found on this server. However, we found documents with names similar to the one you requested.

Available documents:

• /webtools/jquery-pagination/ (common basename)

As you can see, on a server that has Multiple Choices enabled, you can attempt to browse their directory structure by entering partial strings and seeing what pops up. This can eliminate security through obscurity attempts. Similarly, checking out a site's robots.txt file can reveal aspects of the directory structure that much of the public isn't aware of. For example:

http://google.com/robots.txt

Finally, if you view the source of a web page, you'll probably find URL's for the various images and scripts. By checking out all of the base directories of those URL's, you can see if any of them have accidentally been left open for browsing. This might lead to unintended discovery ranging from third party applications installed, to private directories left openly viewable.

In conclusion, knowing how web servers work is crucial to finding their security flaws. Not everything can be accomplished via automated testing - sometimes human logic and curiosity is needed to find the big exploits. So learn your IIS and Apache when you get the chance, and remember to check every nook and cranny available to you.