Apache

Apache Web Server Overview:

  • Apache HTTP Server, commonly referred to as Apache, is an open-source web server software.

  • It plays a role in serving over a quarter of all active websites today.

Web Security Considerations:

  1. Default Configuration:

    • Out-of-the-box configurations are usually not optimized for security.

    • It's crucial to disable unnecessary modules and features.

  2. Directory Listings:

    • If directory listing is enabled (Options +Indexes), it can expose sensitive files or information.

    • Disable directory listings unless specifically required.

  3. Version Exposure:

    • By default, Apache exposes its version and other details. This can aid attackers in finding vulnerabilities.

    • Suppress this information using the ServerTokens Prod and ServerSignature Off directives.

  4. .htaccess Files:

    • Allows for directory-level configuration but can be misconfigured.

    • Ensure the server respects .htaccess rules by setting AllowOverride to All.

  5. Permissions:

    • Only give the minimal required permissions. Avoid running the server as the root user.

    • Protect sensitive directories with appropriate permissions and ownership.

  6. SSL/TLS Configuration:

    • Always use updated and strong encryption protocols and ciphers.

    • Regularly update SSL/TLS certificates and ensure expired certificates are renewed.

  7. Error Pages:

    • Custom error pages should not leak sensitive server information.

    • Avoid verbose errors that provide unnecessary details.

Pentesting Considerations:

  1. Information Gathering:

    • Tools like nmap can identify an Apache server, its version, and sometimes modules.

    • nikto is a popular web server scanner that can identify potential vulnerabilities.

  2. Directory Traversal:

    • Check if it's possible to navigate to unintended directories using ../.

  3. File Inclusion Vulnerabilities:

    • Test for Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities.

  4. Brute Force Attacks:

    • Tools like Hydra can be used to brute force directories, files, or authentication on an Apache server.

  5. Testing .htaccess & .htpasswd:

    • Ensure that .htaccess and .htpasswd files are not accessible from the web.

    • Brute force attack can be attempted on .htpasswd to crack passwords.

  6. ModSecurity:

    • Apache supports ModSecurity, a web application firewall (WAF). Determine if it's in use and attempt to bypass or identify misconfigurations.

  7. Logs and Monitoring:

    • During pentesting, be aware of how your activities are being logged. If it's an authorized test, ensure you've coordinated with relevant teams about the generated logs.

    • Apache logs can be found typically in /var/log/apache2/ or /var/log/httpd/.

  8. Misconfigured CORS:

    • Cross-Origin Resource Sharing (CORS) headers can be misconfigured, allowing unintended domains to interact with the web application.

Executable PHP extensions

Check which extensions is executing the Apache server. To search them you can execute:

Also, some places where you can find this configuration is:

CVE-2021-41773

PreviousAccess ControlNextAuthentication/OAuth

Last updated