Most Important Checklist for Penetration of Web Server

Web Server

Web server pen checks under 3 key identity class, review, document vulnerability, configuration error, protocol relationship vulnerabilities, etc.

1. “The best way of testing the web server along with the various vulnerabilities is to perform a series of methodical and repeatable tests.”

2. “Collecting as a Much as Information” about an organization The main area to focus on in the initial stage of Web server pen testing is the operating environment.

3. Web server authentication testing; Social engineering techniques are used to collect human resources information; contact details; and other social information.

4. Gathering target information, using who is database query tools for obtaining the details like domain name, IP address, management details, autonomous system number, DNS, etc

5. Fingerprint web servers for collecting information, such as database title, server sort, operating systems, browser-based software, etc., use fingerprint scanning tools such as Netcraft, HTTPrecon, ID Server.

6. Crawl Website for the selection of Web pages with specific information, e.g. email addresses

7. List webserver directories to obtain important web functionality information, login forms, etc.

8. Perform a Cross-directory Attack to access Limited Directories and execute the command from the root directories of the Web server.

9. Vulnerability scans to find network weakness using vulnerability scanning software such as HPwebinspect, Nessus. and decide whether the program can be used.

10. We execute cache poisoning attacks, which causes the webserver cache to flush the actual contents of its cache and send a specific request that is stored in the cache.

11. HTTP response split attack for passing malicious information to a compromised request that includes data in an HTTP response header.

12. SSH, FTP, and other login credentials for Bruteforce to gain unauthorized access.

13. Hijacking session to grab valid client cookies and IDs, use tools like Burb Suite, Fire Sheep, hijack for automated session retrieval.

14. MITM attacks to control sensitive information by intercepting communication alterations between end-users and web servers.

15. Using internet advertisers and AWStats to test the web server logs.

Important checklist Microsoft suggested


  • Windows services that are unnecessary are deactivated.
  • Products with low-privileged accounts are going.
  • If the services FTP, SMTP, and NNTP are not required, they will be disabled.
  • Operation Telnet is disabled.


  • WebDAV is deactivated if the OR software is not used, if necessary it is protected.
  • NetBIOS hardened TCP / IP stack is disabled and SMB (close ports 137, 138, 139 and 445) are disabled.


    • Unused server accounts were deleted.
    • The password for visitors is disabled.
    • If the application is not used, the IUSR MACHINE account is disabled.
    • If anonymous access is needed to your applications, a custom anonymous account is created.
    • The anonymous account has no write access and does not execute command-line tools to the Web content directories.
    • Clear database account and password procedures are enforced.
    • Remote connections are minimal. (The user’s right to access this network computer is removed from the Everyone group.) Accounts are not shared between administrators.
    • Null sessions are disabled (anonymous logons).
    • Approval is required for the delegation of accounts.
    • Users and managers do not share accounts.
    • In the Administrators group, there are no more than two accounts.
    • Administrators must log on locally OR the remote management solution is secure.

Files and Directories

    • The NTFS volumes contain files and directories. The contents of the website are stored on the non-system volume NTFS.
    • Log files are stored in an NTFS volume and not on the same volume where the content of the website resides.
    • The group Everyone (no access to \WINNT\system32 or web directories) is restricted.
      The root website directory has refused to write ACE for Internet anonymous accounts.
    • Data servers denied ACE writing to Internet anonymous accounts.
    • Remote application management is deleted. Tools, utilities, and SDKs are removed from the resource kit.
    • Sample applications are deleted. Any unwanted shares (including default management shares) are excluded.
    • Access to the necessary shares is limited (Everyone group has no access).
    • Administrative shares (C$ and Admin$) will be excluded when not requested (the shares include Microsoft Management System (SMS) and Microsoft Operations Manager (MOM).


    • Internet interfaces are limited to ports 80 (and 443 when using SSL).
    • Intranet traffic is encrypted (e.g. with SSL) or restricted if the data center infrastructures are not secure.


    • Access to the remote registry is limited.
    • The SAM (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash) is safe.

Checking and reporting

    • Failed attempts at logon are audited.
    • Relocated and protected IIS log files.
    • According to the application security requirements, log files are configured with a suitable size.
    • Log files are archived and reviewed periodically.
    • Metabase.bin file access is audited.
    • IIS is designed for the auditing of the W3C Extended log file format.

Certificates of Server

    • Ensure the date ranges of the certificate are correct.
    • Use only certificates for their intended purposes (server certificates are not used for e-mail, for example).
    • Ensure that the public key of the certificate is valid, to a trusted root authority.
    • Confirm that the certificate was not withdrawn.
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.