MODULE 13 — CORE WEB SERVER CONCEPTS (MEMORIZE 100%)
What Is a Web Server (Exam Definition)
| Concept | Memorize Exactly |
| Web Server | A computer system that stores, processes, and delivers web pages to clients using HTTP/HTTPS |
| Client | Browser that generates HTTP requests |
| Server Role | Receives request, processes it, returns HTTP response |
| Failure Case | If requested resource is unavailable, server returns an error message |
MEMORY HOOK:
Browser asks → Server fetches → Server responds
WEB SERVER COMPONENTS (VERY HIGH EXAM WEIGHT)
Core Components Table
| Component | Purpose | Exam Hook |
| Document Root | Stores HTML files related to domain name | Public web files live here |
| Server Root | Stores configuration, logs, executables | Admin-level directory |
| conf | Configuration files | Server behavior |
| logs | Server logs | Recon goldmine |
| cgi-bin | CGI scripts | Command execution risk |
MEMORY HOOK:
Document root = content | Server root = control
Virtual Document Tree
| Feature | Memorize |
| Purpose | Provides storage on a different machine or disk |
| Trigger | Used when original disk is full |
| Security Impact | Can provide object-level security |
Virtual Hosting (EXAM FAVORITE)
| Type | Description |
| Name-based | Multiple domains on same IP |
| IP-based | Each domain has unique IP |
| Port-based | Multiple sites using different ports |
MEMORY HOOK:
Name, IP, Port = Virtual Hosting Trinity
Web Proxy
| Feature | Memorize |
| Location | Between client and web server |
| Purpose | Prevent IP blocking, maintain anonymity |
| Function | Forwards client requests |
WHY WEB SERVERS ARE COMPROMISED
Root Causes (EXAM LIST)
| Cause | Memorize |
| Improper configuration | Most common |
| Weak/default credentials | Easy exploitation |
| Unpatched software | Known exploits |
| Misconfigured SSL/TLS | MITM risk |
| Third-party plugins | Supply-chain risk |
MEMORY HOOK:
Config > Passwords > Patching > Crypto > Plugins
IMPACT OF WEB SERVER ATTACKS
| Impact Category | Memorize |
| Compromise of user accounts | Credential theft |
| Website defacement | Visual manipulation |
| Secondary attacks | Attacks launched from server |
| Root access | Full control |
| Data tampering | Alter/delete data |
| Reputation damage | Business impact |
COMMON GOALS OF WEB SERVER ATTACKERS
| Goal | Exam Phrase |
| Steal credentials | Phishing, sniffing |
| Botnet integration | DoS/DDoS |
| Database compromise | Data theft |
| Obtain source code | Intellectual property |
| Redirect traffic | Monetization |
| Privilege escalation | Persistence |
MEMORY HOOK:
Steal, Bot, Break DB, Copy Code, Redirect, Escalate
SECURITY FLAWS DUE TO ADMIN NEGLIGENCE
| Flaw | Result |
| Same admin credentials reused | Lateral movement |
| Unrestricted inbound/outbound traffic | Easy exploitation |
| Unhardened servers | Wide attack surface |
| Verbose errors | Recon advantage |
| Weak SSL/TLS algorithms | MITM |
| Third-party plugins | Backdoors |
WHY WEB SERVERS GET COMPROMISED (PERSPECTIVES)
Webmaster Perspective
| Risk | Memorize |
| LAN exposure | Corporate network compromise |
| Arbitrary script execution | RCE |
| Insecure scripts | Code execution |
Network Administrator Perspective
| Risk | Memorize |
| Improper access control | Admin bypass |
| Poor segmentation | Full LAN exposure |
| Weak privilege assignment | Escalation |
End User Perspective
| Risk | Memorize |
| Malicious scripts | Browser compromise |
| Session hijacking | Account takeover |
| LAN access | Internal attack |
OVERSIGHTS THAT COMPROMISE WEB SERVERS (MUST MEMORIZE ALL)
| Oversight |
| Improper file and directory permissions |
| Installed server with default settings |
| Unnecessary services enabled |
| Security conflicts with business requirements |
| Lack of security policy |
| Improper authentication with external systems |
| Default accounts without passwords |
| Sample/backup files left |
| OS, server, app misconfigurations |
| SSL certificate mismanagement |
| Admin/debug functions exposed |
| Self-signed certificates |
| Excessive privileges |
MEMORY HOOK:
Defaults, Files, Services, Crypto, Privileges