Web server pen testing performing under 3 major category which is identity, Analyse, Report Vulnerabilities such as authentication weakness, configuration errors, protocol Relation vulnerabilities.

“Conduct a serial of methodical and Repeatable tests “ is the best way to test the web server along with this to work through all of the different application Vulnerabilities.


  • “Collecting as Much as Information” about an organization Ranging from operation environment is the main area to concentrate with the initial stage of web server Pen testing.
  • Performing web server Authentication Testing , use Social engineering techniques to collect the information about the Human Resources , contact Details and other  Social Related information.
  • Gathering Information about the Target, use whois database query tools to get the Details such as Domain name, IPaddress, Administrative Details, autonomous system number, DNS etc.


  • Fingerprint web server to gather information such as server name, server type, operating systems, application running on the server etc use fingerprint scanning tools such as , Netcraft, HTTPrecon , ID Serve .
  • Crawel Website to gather Specific information  from web pages, such as email addresses
  • Enumerate web server Directories to extract important information about web functionalities, login forms etc.
  • Perform Directory traversal Attack to access Restricted Directories and execute the command from outside of the Web server root directories.


  • Performing vulnerability scanning to identify the weakness in the network use the vulnerability scanning tools such as HPwebinspect, Nessus . and determine if the system can be exploited.
  • Perform we cache poisoning attack to force the web server’s cache to flush its actual cache content and send a specifically crafted request which will be stored in the cache.
  • Performing HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.
  • Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.
  • Perform session hijacking to capture valid session cookies and ID’s,use tools such as       Burb suite , Firesheep ,jhijack to automated session hijacking.
  • Performing MITM attack to access the sensitive information by intercepting the altering the communications between the end users and web servers.
  • Use tools such as  webalizer, AWStats to examine the web server logs .

CORE Impact pro

CORE Impact pro is the software solution for assessing  and testing the vulnerabilities in the organization’s web servers , Nerwork system’s , Endpoint systems , wireless networks , network devices ,Mobile devices ,IDS/IPS  .

Important Checklist Suggested by Microsoft


  • Unnecessary Windows services are disabled.
  • Services are running with least-privileged accounts.
  • FTP, SMTP, and NNTP services are disabled if they are not required.
  • Telnet service is disabled.


  • WebDAV is disabled if not used by the application OR it is secured if it is required.
  • TCP/IP stack is hardened
  • NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).


  • Unused accounts are removed from the server.
  • Guest account is disabled.
  • IUSR_MACHINE account is disabled if it is not used by the application.
  • If your applications require anonymous access, a custom least-privileged anonymous account is created.
  • The anonymous account does not have write access to Web content directories and cannot execute command-line tools.
  • Strong account and password policies are enforced for the server.
  • Remote logons are restricted. (The “Access this computer from the network” user-right is removed from the Everyone group.)
  • Accounts are not shared among administrators.
  • Null sessions (anonymous logons) are disabled.
  • Approval is required for account delegation.
  • Users and administrators do not share accounts.
  • No more than two accounts exist in the Administrators group.
  • Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

  • Files and directories are contained on NTFS volumes
  • Web site content is located on a non-system NTFS volume.
  • Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
  • The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
  • Web site root directory has deny write ACE for anonymous Internet accounts.
  • Content directories have deny write ACE for anonymous Internet accounts.
  • Remote  administration application is removed
  • Resource kit tools, utilities, and SDKs are removed.
  • Sample applications are removed


  • All unnecessary shares are removed (including default administration shares).
  • Access to required shares is restricted (the Everyone group does not have access).
  • Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).


  • Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)
  • Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.


  • Remote registry access is restricted.
  • SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Auditing and Logging

  •  Failed logon attempts are audited.
  •  IIS log files are relocated and secured.
  • Log files are configured with an appropriate size depending on the application security requirement.
  • Log files are regularly archived and analyzed.
  • Access to the Metabase.bin file is audited.
  • IIS is configured for W3C Extended log file format auditing.

Server Certificates

  • Ensure certificate date ranges are valid.
  • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).
  •  Ensure the certificate’s public key is valid, all the way to a trusted root authority.
  • Confirm that the certificate has not been revoked.

Also Read :