alex_aldo - Fotolia


Addressing web server vulnerabilities below the application layer

Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities.

How's your web security? With your ongoing vulnerability and penetration testing, do you feel like your critical business systems can hold their own and remain resilient to attackers? Unless you're looking at your web environment in all the right ways, your web security posture might not be quite as strong as you think it is.

I've found that a lot of web security emphasis is on the application layer itself. That's not a bad thing when you factor in just how pervasive cross-site scripting, SQL injection and other detrimental application flaws really are. However, you have to look at the underlying server, as well.

Web server vulnerabilities

Just ask the security team, technology executives and CEO at Equifax: one misconfiguration at the web server level -- in their case, a missing Apache Struts update -- is all it takes to bring a massive enterprise to its knees. Remote exploits, denial-of-service attacks, you name it -- anything's possible beyond the application layer at the web server level.

Common web server vulnerabilities that I find in my assessments include:

  • Patches for web servers, such as Internet Information Server and Apache, and operating systems, such as Windows and Linux.
  • Open ports that facilitate unencrypted logins, open proxies or vulnerable services, such as file transfer protocol and simple network management protocol services.
  • Misconfigured permissions that allow for unauthorized public access to directories and files.
  • Domain name system cache snooping and traffic amplification.
  • Internal IP address of the server being revealed through hard coding or misconfigured web server headers.
  • Missing cross-frame scripting protection.

It's not just specific web server vulnerabilities either; related weaknesses can also be brought about by a lack of network security controls, such as intrusion prevention systems, web application firewall blocking, and proper event monitoring and alerting. Even simple firewall misconfigurations can lead to a successful attack on an organization.

Protecting web environments

One thing that I often see in terms of web security testing is people focusing just on penetration. They're able to capture the flag, so to speak, and then they stop looking for other security issues. This is extremely shortsighted, and quite likely the reason many organizations who have a formal security testing program still end up getting breached.

Instead of just a penetration test, what's needed is a full security assessment that looks at the entire system, soup to nuts, rather than trying to prove that a single exploit can be accomplished and an exercise can be stopped. It's all the other security vulnerabilities that are being overlooked in weak web security testing procedures that can come back to haunt you.
Another thing to keep in mind is, if you're just testing your production environment, how do your staging and development systems look? Similarly, if you're not able to test production, are your staging and development systems a true reflection of what's going on in the real world?

Eventually, you will need to look at and fix everything. This not only applies to external web systems, but internal ones, as well.


When it comes to web security, application scans are not enough, and neither is manual analysis or penetration testing. Traditional network vulnerability scanners will uncover weaknesses, but I'm finding more and more that dedicated web application vulnerability scanners are finding server-level flaws; you have to look at the server itself.

In many cases, it takes two, and sometimes three different scanners to find everything that matters. One scan with one tool is simply not enough to consistently find web server vulnerabilities. If true web security is to exist, then you have to look in all the right places. Otherwise, you simply don't know where things stand.

Next Steps

Learn how to use Nikto to scan for web server vulnerabilities

Find out how to update your enterprise incident response policy

Read more on setting up a security operations center

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing