Vulnarex | Elite Cybersecurity Learning Platform

#Understanding Web Server Architecture#link

With a solid grasp of HTTP, HTML, and JavaScript, we now turn to the server side — the machines and software that actually process requests and serve content. Understanding web server architecture is essential for security professionals because server misconfigurations are among the most common and impactful vulnerabilities found in the wild.

What a Web Server Does

A web server is software that listens for incoming HTTP requests and responds with the appropriate content. At its simplest, a web server receives a request for a file, reads that file from disk, and sends it back. Modern web servers do much more — they handle SSL termination, load balancing, URL rewriting, authentication, and serve as reverse proxies for application servers.

Server	Market Share	Common Use Case
Nginx	~35%	Reverse proxy, load balancer, static content
Apache HTTP Server	~22%	Traditional web hosting, .htaccess configs
Microsoft IIS	~6%	Windows/.NET environments
Cloudflare/CDN	Growing	DDoS protection, CDN, WAF
Node.js (Express)	Popular	JavaScript-based APIs and SPAs

Nginx Configuration Basics

Nginx is the most widely used web server today. Its configuration is organized into blocks (contexts) that define how requests are handled. Understanding Nginx config helps you identify misconfigurations during assessments.

nginx

server {
    listen 443 ssl http2;
    server_name www.example.com;
    
    ssl_certificate /etc/ssl/certs/example.com.pem;
    ssl_certificate_key /etc/ssl/private/example.com.key;
    
    # Serve static files directly
    location /static/ {
        alias /var/www/static/;
        expires 30d;
    }
    
    # Proxy API requests to application server
    location /api/ {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    # Default: serve SPA
    location / {
        try_files $uri $uri/ /index.html;
    }
}

info

💡 The X-Forwarded-For header is critical in proxied environments. Application servers behind a reverse proxy see the proxy's IP, not the client's real IP. The proxy adds this header so the application can identify the original client. However, if not properly configured, attackers can spoof this header.

Common Web Server Misconfigurations

Web server misconfigurations are a goldmine for attackers. Here are the most common and impactful ones:

▪Directory listing enabled — exposes file structure and sensitive files
▪Default credentials — admin panels with admin/admin passwords
▪Exposed server version headers — reveals software version for targeted exploits
▪Missing security headers — no CSP, HSTS, X-Frame-Options
▪Improper file permissions — world-readable configuration files
▪Unnecessary HTTP methods enabled — PUT, DELETE, TRACE allowed
▪Open proxy configuration — server can be used to attack other systems
▪Missing TLS/SSL — credentials and data transmitted in plaintext

STRICT SECURE AUDIT RULE

⚠️ The TRACE HTTP method can be used in Cross-Site Tracing (XST) attacks to steal HttpOnly cookies. Ensure TRACE is disabled on all production servers. Test with: curl -X TRACE https://target.com

Hosting Environments

Modern web applications are deployed in various environments, each with its own security considerations:

Environment	Description	Security Consideration
Shared Hosting	Multiple sites on one server	Neighbor sites may affect your security
VPS	Virtual private server	You manage the OS and server config
Cloud (AWS/Azure/GCP)	Scalable cloud infrastructure	Misconfigured S3 buckets, IAM roles, metadata endpoints
Serverless (Lambda/Functions)	Event-driven, no server to manage	Function permissions, cold start attacks, injection
Container (Docker/K8s)	Containerized applications	Container escape, exposed dashboards, secrets in images
CDN (Cloudflare/Fastly)	Content delivery network	Origin IP exposure, cache poisoning

Cloud-Specific Risks: The Metadata Endpoint

One of the most critical cloud-specific attack vectors is the instance metadata endpoint. Cloud providers expose a local endpoint (169.254.169.254) that provides instance credentials and configuration. If an application is vulnerable to Server-Side Request Forgery (SSRF), an attacker can access this endpoint.

AWS Metadata Endpoint (SSRF Attack)

root@vulnarex:~#curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Retrieving Temporary Credentials

root@vulnarex:~#curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyInstanceRole

STRICT SECURE AUDIT RULE

⚠️ AWS now uses IMDSv2 which requires a session token to access the metadata endpoint, mitigating simple SSRF attacks. However, older instances or misconfigured ones may still use IMDSv1. Always check for SSRF vulnerabilities that could reach cloud metadata endpoints.

Server Headers and Information Disclosure

Web servers often reveal information through response headers that can aid an attacker. During reconnaissance, always examine these headers:

Checking Server Headers

root@vulnarex:~#curl -I https://www.example.com

callout

Each of these headers reveals specific software and version information. An attacker can use this to look up known vulnerabilities (CVEs) for those specific versions. Best practice is to remove or obfuscate these headers in production.

quiz BLOCK (★ 50 XP)

During a penetration test, you discover that a web server responds to TRACE requests. What is the PRIMARY security risk?

Select your proof vectors above