Hacking Web Servers

Attacking the HTTP server itself — Apache, Nginx, IIS, or the load balancer in front of them — rather than the web application running on top. Targets misconfiguration, default credentials, exposed admin panels, missing security headers, and known CVEs in the server software.

A single weak header (no HSTS), a leaked Server banner, or a Disallow path pointing to /admin can give an attacker the foothold they need long before any app-level vulnerability is exploited. CEH treats the server tier as a first-class attack surface.

Probe HTTP response headers to fingerprint server software and audit defence-in-depth headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options). Parse robots.txt and sitemap.xml to discover paths the operator wanted hidden. Cross-reference banner versions with CVE databases.

Web server architecture, common misconfigurations (directory listing, default pages, verbose errors), banner grabbing, security headers, robots.txt as recon, and server-specific vulnerabilities (IIS short-name, Apache module flaws, Nginx alias traversal).

Treating robots.txt as a security control (it's a recon goldmine). Trusting the Server header as ground truth (it can be spoofed). Skipping HEAD vs GET differential analysis. Ignoring the CDN/WAF layer when fingerprinting.