Web Server — Attack & Defense.

Apache HTTPD

• Attack. .htaccess abuse where AllowOverride permits SetHandler — drop a PHP handler in a writable upload dir for instant RCE. mod_cgi + CVE-2021-41773 path traversal still reachable on stragglers. mod_status at /server-status leaks live request URIs including auth tokens.
• Defense. AllowOverride None globally. Disable mod_status or restrict to loopback. Patch above 2.4.50 and audit Directory aliases for traversal escape.

nginx

• Attack. Off-by-slash misconfig: location /api { proxy_pass http://backend; } with request /api../admin normalizes server-side. Header injection via proxy_set_header X-Real-IP $http_x_forwarded_for. Lua-module sandbox escape on old OpenResty.
• Defense. Trailing slash discipline: location /api/ { proxy_pass http://backend/; }. Strip $http_* headers that the backend trusts. Pin OpenResty if you use it; track its CVE feed separately from nginx-core.

IIS / ASP.NET

• Attack. WebDAV PUT to writable virtual dir; .config overwrite to swap handlers. Unicode normalization (%c0%af) for traversal on legacy installs. ViewState deserialization where machineKey is leaked or default.
• Defense. Disable WebDAV unless required, restrict verbs. Set requestFiltering to block .. sequences. Rotate machineKey, ensure validation/decryption keys are not default.

Tomcat / JBoss / WildFly

• Attack. /manager/html with default creds (tomcat:tomcat, admin:admin) → WAR deploy → JSP shell. JMX-Console / Admin-Console on JBoss legacy → invoker-servlet → deserialization. RMI port 1099 still externally exposed in misconfigured deploys.
• Defense. Remove manager/admin apps from production builds. If required, bind to loopback and restrict by IP + strong creds. Disable JMX remote unless explicitly needed; never on a public interface.

Decision tree from first 200 OK

1. Tech identified? If yes → consult banner→CVE list. If no → fingerprint more (favicon, error pages, behavioral probes).
2. Auth surface visible? Login form, basic auth, NTLM → spray known weak credentials (kerbrute, hydra) within lockout policy.
3. Admin panel reachable? Default creds first, then known CVE for that panel, then password-recovery logic flaws.
4. No auth, static-ish app? Directory fuzz (ffuf -w raft-large -e .bak,.old,.zip,.txt) for backup files, source leaks, config dumps.
5. API endpoint? Look for /api/v1, /api/v2, /swagger, /openapi.json, /graphql + introspection. Test mass assignment, IDOR, JWT confusion.