Fixed web server vulnerabilities below the application layer

How is your web security? With your vulnerability and penetration testing underway, do you think your critical business systems can hold up and remain resilient to attackers? Unless you look at your web environment in all the right ways, your web security posture might not be as strong as you think.

I discovered that web security emphasizes the application layer itself. That’s not a bad thing when you factor in the ubiquity of cross-site scripting, SQL injection, and other detrimental application flaws. However, you also need to look at the underlying server.

Web server vulnerabilities

Just ask Equifax’s security team, CTOs and CEO: a misconfiguration at the web server level – in their case, a missing Apache Struts update – is enough to put a massive company on your knees. Remote exploits, denial of service attacks, etc. – everything is possible beyond the application layer at the web server level.

Common web server vulnerabilities that I find in my assessments include:

  • Patches for web servers, such as Internet Information Server and Apache, and operating systems, such as Windows and Linux.
  • Open ports that facilitate unencrypted connections, open proxies, or vulnerable services, such as File Transfer Protocol and Simple Network Management Protocol services.
  • Misconfigured permissions allowing unauthorized public access to directories and files.
  • Domain name system cache monitoring and traffic amplification.
  • Server’s internal IP address revealed by hard-coding or misconfigured web server headers.
  • Missing protection against cross-frame scripting.

Nor are they web server-specific vulnerabilities; related weaknesses can also be caused by a lack of network security controls, such as intrusion prevention systems, web application firewall blocking, and proper event monitoring and alerting. Even simple firewall misconfigurations can lead to a successful attack on an organization.

Protection of web environments

One thing I often see in terms of web security testing is that people only focus on penetration. They are able to capture the flag, so to speak, and then they stop looking for other security issues. This is extremely myopic and is probably the reason why many organizations that have a formal security testing program still end up being hacked.

Instead of a simple penetration test, what is needed is a comprehensive security assessment that examines the entire system from soup to nuts, rather than trying to prove that a only feat can be accomplished and only one exercise can be stopped. It’s all other security vulnerabilities that are overlooked in weak web security testing procedures that can come back to haunt you.
Another thing to keep in mind is that if you’re just testing your production environment, what are your staging and development systems like? Likewise, if you are unable to test production, do your staging and development systems accurately reflect what is happening in the real world?

Eventually, you will have to look at everything and fix everything. This applies not only to external web systems, but also to internal systems.


When it comes to web security, application scans are not enough, nor are manual scans or penetration tests. Traditional network vulnerability scanners will find weaknesses, but I’m seeing more and more that dedicated web application vulnerability scanners are finding flaws at the server level; you have to look at the server itself.

In many cases, it takes two and sometimes three different scanners to find everything that matters. A scan with a single tool is simply not enough to consistently find web server vulnerabilities. If real web security is going to exist, you need to look in the right places. Otherwise, you just don’t know where things stand.