Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter III - Web / Web Servers

Cheatsheet

Use this as a fast reference during web server enumeration and review.


Fingerprint

nmap -sV -sC -p80,443,8080,8000,8443 target
curl -i http://target/
curl -I http://target/
curl -i http://target/does-not-exist
whatweb http://target/
nikto -h http://target/

Host header check:

curl -i -H "Host: test.example.local" http://TARGET_IP/

Virtual host fuzz:

ffuf -u http://TARGET_IP/ -H "Host: FUZZ.example.local" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Directory fuzz:

gobuster dir -u http://target/ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt

Interesting Paths

Generic:

/.git/
/.env
/backup.zip
/backup.tar.gz
/config.php.bak
/database.sql
/admin/
/uploads/
/static/
/api/

Apache:

/server-status
/server-info
/cgi-bin/
/.htaccess
/.htpasswd
/icons/
/manual/

NGINX:

/nginx_status
/stub_status
/status
/uploads/
/static/

IIS:

/aspnet_client/
/trace.axd
/elmah.axd
/web.config
/App_Data/
/bin/

Apache Files

Config:

/etc/apache2/apache2.conf
/etc/apache2/envvars
/etc/apache2/ports.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/

Logs:

/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/apache2/other_vhosts_access.log
/var/log/httpd/access_log
/var/log/httpd/error_log

Webroots:

/var/www/html/
/srv/www/
/usr/local/apache2/htdocs/

Local commands:

apache2ctl -S
apache2ctl -M
apache2ctl -t

NGINX Files

Config:

/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default
/etc/nginx/sites-available/default
/etc/nginx/conf.d/
/usr/local/etc/nginx/nginx.conf
/usr/local/nginx/conf/nginx.conf

Logs:

/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/nginx/access_log
/var/log/nginx/error_log

Webroots:

/usr/share/nginx/html/
/var/www/html/
/var/www/

Local commands:

nginx -t
nginx -T
systemctl status nginx

IIS Files

Config:

C:\Windows\System32\inetsrv\config\applicationHost.config
C:\Windows\System32\inetsrv\config\administration.config
web.config

Logs:

C:\inetpub\logs\LogFiles\
C:\Windows\System32\LogFiles\HTTPERR\

Webroots:

C:\inetpub\wwwroot\
C:\inetpub\

Local commands:

Import-Module WebAdministration
Get-Website
Get-WebBinding
Get-WebApplication
Get-ChildItem IIS:\AppPools

Appcmd:

%windir%\system32\inetsrv\appcmd.exe list site
%windir%\system32\inetsrv\appcmd.exe list apppool
%windir%\system32\inetsrv\appcmd.exe list config

Log Poisoning

Safe marker:

curl -A "ootw-log-marker" http://target/

Common logs:

/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
C:\inetpub\logs\LogFiles\

Required chain:

controlled input reaches log
  + application can include/read that log
  + runtime interprets included content as code

Upload And Handler Checks

Ask:

Where is the upload stored?
Is the upload path under the webroot?
Can the file be requested directly?
Which extensions execute?
Are per-directory config files allowed?
Can handlers be changed?

Apache risk:

.htaccess upload + AllowOverride + handler remap

IIS risk:

web.config upload + permissive directory config + handler/staticContent changes

NGINX risk:

uploaded .php + global PHP-FPM location + upload path under webroot

IIS Tilde

Concept:

Long filename: SecretDocuments
Short name:    SECRET~1

Tools:

IIS-ShortName-Scanner
shortscan
sns
Metasploit iis_shortname_scanner

Follow-up:

gobuster dir -u http://target/ -w candidates.txt -x asp,aspx,config,txt,zip,bak

Detection:

requests containing ~1
requests containing *~1*
large bursts of 404/400 during name probing

Dangerous HTTP Verbs

Check:

curl -i -X OPTIONS http://target/

Review if enabled:

PUT
MOVE
COPY
DELETE
PROPFIND
MKCOL
TRACE
TRACK

These are not automatically exploitable. They become findings when they allow writes, disclosure, cross-site tracing, or unexpected file operations.


Defensive Review

Confirm:

  • Directory listing is disabled.
  • Server status pages are restricted.
  • Config files are not web-accessible.
  • Logs are not readable through the application.
  • Uploads are outside executable paths.
  • Script execution is blocked in upload directories.
  • Apache AllowOverride is disabled unless required.
  • IIS web.config upload is blocked.
  • NGINX alias and proxy_pass rules are reviewed.
  • Forwarded headers are trusted only from known proxies.
  • WebDAV and unused modules are disabled.
  • App pools and worker processes run with least privilege.
  • Suspicious enumeration patterns are monitored.