Guide to Finding Web Server Vulnerabilities Using Open-Source Software

Table of Contents

1. Introduction
2. Preparation
3. Reconnaissance
4. Port Scanning and Service Detection
5. Web Server Fingerprinting
6. Vulnerability Scanning
7. Web Application Scanning
8. SSL/TLS Testing
9. Manual Testing
10. Reporting
11. Conclusion

1. Introduction

This guide will walk you through the process of identifying vulnerabilities in a web server using various open-source tools. Remember, always ensure you have permission to test the target system.

2. Preparation

Before starting, set up a testing environment:

• Use a Linux distribution like Kali Linux or Parrot OS, which come pre-installed with many security tools.
• Ensure you have permission to test the target web server.
• Set up a local test server if you don’t have a real target to practice on.

3. Reconnaissance

Start with gathering information about the target:

1. Use whois to get domain information:

   whois example.com
   

2. Perform DNS enumeration with dnsenum:

   dnsenum example.com
   

3. Use theHarvester for email addresses and subdomains:

   theHarvester -d example.com -l 500 -b google
   

4. Port Scanning and Service Detection

Use Nmap to scan for open ports and services:

nmap -sV -sC -p- example.com

This command:

• Scans all ports (-p-)
• Determines service versions (-sV)
• Runs default scripts (-sC)

5. Web Server Fingerprinting

Identify the web server and its version:

1. Use Nmap’s HTTP scripts:

   nmap -p80,443 --script http-enum example.com
   

2. Try whatweb for more detailed information:

   whatweb example.com
   

6. Vulnerability Scanning

Use OpenVAS (Open Vulnerability Assessment System) for comprehensive scanning:

1. Set up OpenVAS if not already installed:

   apt-get install openvas
   openvas-setup
   

2. Access the OpenVAS web interface and set up a new scan task for your target.

7. Web Application Scanning

Use specialized web application scanners:

1. OWASP ZAP (Zed Attack Proxy):

   zaproxy
   

   Use the GUI to set up an automated scan against your target.

2. Nikto web server scanner:

   nikto -h example.com
   

3. Dirb for directory busting:

   dirb http://example.com
   

8. SSL/TLS Testing

Check for SSL/TLS vulnerabilities:

1. Use sslscan to check SSL/TLS configuration:

   sslscan example.com
   

2. Test for Heartbleed vulnerability:

   nmap -p 443 --script ssl-heartbleed example.com
   

9. Manual Testing

Perform manual checks to verify findings and explore further:

1. Use Burp Suite (Community Edition) as a web proxy to intercept and modify requests.

2. Check for common vulnerabilities manually:

   • SQL Injection
   • Cross-Site Scripting (XSS)
   • Cross-Site Request Forgery (CSRF)
   • File Inclusion vulnerabilities

3. Test input validation and sanitization on forms and parameters.

10. Reporting

Compile your findings into a comprehensive report:

1. List all discovered vulnerabilities.
2. Categorize vulnerabilities by severity.
3. Provide evidence for each finding (screenshots, command outputs).
4. Suggest remediation steps for each vulnerability.
5. Summarize the overall security posture of the web server.

11. Conclusion

Remember that finding vulnerabilities is an iterative process. Combine automated tools with manual testing for the best results. Always stay updated on the latest web security threats and testing techniques.

Ethical Considerations:

• Only test systems you have explicit permission to assess.
• Be careful not to disrupt the normal operation of the web server.
• Handle any sensitive data you may encounter responsibly.
• Report findings to the system owner securely and promptly.

By following this guide and using these open-source tools responsibly, you can effectively identify vulnerabilities in web servers and contribute to improving web security.