Web Server Penetration Testing Checklist

Web server pen testing performing under 3 major category which is identity , Analyse , Report Vulnerabilities such as authentication weakness , configuration errors, protocol Relation vulnerabilities .

“Conduct a serial of methodical and Repeatable tests “ is the best way to test the web server along with this to work through all of the different application Vulnerabilities .

• “Collecting as Much as Information” about an organization Ranging from operation environment is the main area to concentrate with initial stage of web server Pen testing .
• Performing web server Authentication Testing , use Social engineering techniques to collect the information about the Human Resources ,contact Details and other Social Related information .
• Gathering Information about the Target, use whois database query tools to get the Details such as Domain name ,IP address , Administrative Details ,autonomous system number ,DNS etc .
• Fingerprint web server to gather information such as server name, server type , operating systems , application running on the server etc use fingerprint scanning tools such as , Netcraft, HTTPrecon , ID Serve .
• Crawel Website to gather Specific information from web pages, such as email addresses
• Enumerate web server Directories to extract important information about web functionalities ,login forms etc.
• Perform Directory traversal Attack to access Restricted Directories and execute the command from outside of the Web server root directories .

• Performing vulnerability scanning to identify the weakness in the network use the vulnerability scanning tools such as HPwebinspect , Nessus . and determine if the system can be exploited .
• Perform we cache poisoning attack to force the web server’s cache to flush its actual cache content and send a specifically crafted request which will be stored in the cache.
• Performing HTTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header .
• Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.
• Perform session hijacking to capture valid session cookies and ID’s,use tools such as      Burb suite , Firesheep ,jhijack to automated session hijacking.
• Performing MITM attack to access the sensitive information by intercepting the altering the communications between the end users and web servers.
• Use tools such as webalizer, AWStats to examine the web server logs.

Read Full Article: Web Server Penetration Testing Checklist

Please Follow us for Daily Updates: GBHackers On security