The availability and security of your web server is the difference between a loyal customer and one who will never use your services again — or worse, spread the bad word about your business. Since almost all the Internet services available are served from web servers, they are prime targets for cyber attacks. Just last week, North American servers of Final Fantasy XIV were hit by a DDoS attack, disrupting game access region-wide.
The bigger the prize, the more attackers will be attracted to it. Part of ensuring a resilient cyber security posture is working with a partner to conduct penetration tests on business-critical technologies.
What is a Penetration Test?
What's the most effective way to determine if the cyber defenses you've set up can be hacked?
By hiring qualified, battle-tested, and ethical hackers to target you — a.k.a Penetration Testing. Penetration testing (‘Pentest’) is an authorized simulation of an attack on a system, network, or application to find potential vulnerabilities that can be exploited. Vulnerabilities can exist anywhere — web servers, operating systems, services and application flaws, or improper configurations, for instance.
Obviously, no defense is impenetrable. The security posture you put forth will determine the speed and extent to which your assets can be compromised. The longer an attacker spends challenging your defenses, the more risk he or she is exposed to, and the higher the likelihood they’d be caught.
And that's the state you want to get to. One that deters the attacker from even probing around your security defenses for that chink in your armour.
Typically, a Pentest informs you about the obvious vulnerabilities in your security posture. But more than just knowing all the vulnerabilities, it's vital to know which you should prioritize fixing since every business is unique. According to the Penetration Testing of Corporate Information Systems report by Positive Technologies, 75% of successful penetration vectors exploited the weak security of web resources.
When turning towards identifying vulnerabilities on Web Servers, there are three broad areas that need to be addressed. First is the identification of the web infrastructure. Second is the analysis of web server applications. And third is the discovery of vulnerabilities such as weak authentication, configuration errors, and insecure protocols.
What to expect in Web Server Pentesting
A pentest doesn’t just reveal your vulnerabilities, but also the competence of your security or development team. At Horangi, \\[a key objective of our pentest](/blog/pentesting-methodology-101/) reports and recommendations is to help improve the security maturity and responsiveness of our customer’s IT team.
IT teams that are new to web server security can refer to the checklist below to understand the various exploitable target areas in a server:
- Perform repeatable tests: This is to consistently test the web server for critical application vulnerabilities, helping to maintain a baseline level of security
- Information collection: Collect available data from operation environments to facilitate the pentest
- Authentication testing: How secure are the authentication protocols? Here, vendors can employ social engineering techniques in order to gain access to sensitive user credentials.
- Gather Target Information: Collect details such as domain name, IP address, admin information, autonomous system number, DNS etc. with whois database query tools
- Web server fingerprinting: Fingerprint scanning tools can help to gather information such as server name, server type, operating systems, and applications running on the server
- Website crawling: Check if there is confidential information, or information that can be exploited, that can be found on webpages
- Web server directories: Look for critical data such as web functionalities and login forms on web server directories
- Directory traversal attack: To access restricted directories and execute orders from outside the web server root directory
- Vulnerability scanning: Use automated tools to identify exploitable vulnerabilities in the web server
- Cache poisoning attack: Cache poisoning attacks are commands that manipulate web server caches into flushing original cache contents in place for malicious cache content
- HTTP response splitting: A HTTP response splitting attack exploits vulnerable applications by passing malicious data to be included in a HTTP response header
- Brute force attacks on services: Another way to gain unauthorized access is to brute force SSH, FTP, and related services
- Cookie hijacking: Exploit valid session cookies and IDs to gain unauthorized access to systems
- Man-in-the-middle (MITM) attacks: By intercepting the communication between servers and endpoints, outsiders can gain unauthorized access to internal systems
- Web server logs: Inspecting web server logs using server pentest tools such as Webalizer, AWstats
Before engaging a security partner to conduct a web server pentest, get your IT team to perform a thorough internal security review. A useful Pentest report can highlight your team’s security blind spots and benchmark the team’s security maturity to industry standards.
Just as cybersecurity is an ongoing process, a pentest isn’t a one-and-done activity. By the time you get to the second and third pentest reports, you’ll get to see many reassuring improvements in your organization’s security posture, all of which solidify your business’ image.