Web Server Security

2 minute read

Disclaimer : This subject is made with root-me challenges but you still must enter the flag you found in the CTF platform of this pool with the format PoC{flag you found}.


Web server are a major component of web services. It is the part dealing with databases and user authentication. If a security issue is detected is a web server, it can lead to severe security problems : credentials stealing, code injection, modification of the user interface etc.

A useful tool to play with Web Server security is the Burp Community Suite which will allow you to see and edit your HTTP requests. Do not hesitate to ask a PoC helper for installation issues !

-1 - Understand all this stuff

Take some paper and a pen (or go to paint online :p) and represent all the interactions between the frontend, the backend API and the database for a Login page.

You must represent your HTTP requests as clearly as possible (with at least the verb and the targeted url).

Show it to a helper once you’re proud of your scheme !

0 - Basic misconfigurations

In this first part, we are going to learn to detect and exploit basic server misconfigurations which can lead to severe security issues.

Start with these challenges : 1. Command Injection 2. Directory Indexing 3. Verb Tampering

1 - Authentication issues

Some token and cookies system were invented in order to be able to recognize a user when he is logged in. These tokens must be really secured in their implementation, otherwise you can make some serious damages… This challenge will make you exploit a vulnerable configuration of a JSON Web Token.

Introduction to JWT

2 - PHP nonsense

PHP has known a lot of severe security vulnerabilities which make it a meme in the security community. Let’s start our PHP joke discovery with Type Juggling !

When not equal can be equal

3 - File Inclusions

File Inclusions are misconfigurations that lead to the execution / exploitation of files that are not supposed to be treated by the web server application…

Local File Inclusion

LFI challenge

Remote File Inclusion

RFI challenge

4 - Go further