Apache Server-Status

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel


Introduction

The server-status page allows server administrators to find out how well their server is performing. This is a HTML page that gives the current server statistics such as the server version, up time,cpu, ram, and information about requests made to the server.


Server-Status

The server-status page can be found on apache servers by making a GET request to /server-status. This will display some details about the server and a long list of requests made to the server and shown below:

As you can see we can view requests made to the server. This information can be very useful if the applications sends sensitive information as GET requests. If you monitor this page you might be able to find CSRF tokens, API keys, hidden paths, and other sensitive information being sent to the server.

The tool server-status_pwn can be used to monitor an applications server-status page in real time. The tool can then output the results to a file to examine later.

To run the tool type:

python server-status_PWN.py — url ‘http://test.com/server-status'

As shown above the tool will monitor the /server-status page for new requests and clients. If you let the tool run for a few hours or days you just might capture some sensitive information.

Conclusion

If the /server-status is exposed to the public then there is something wrong. This page can be used to monitor users GET requests for sensitive information. If the applications sends CSRF tokens, API keys, or anything else in a GET request then attackers will be able to see it. Using the server-status_PWN tool you can constantly monitor the page and examine the results later.

https://twitter.com/ghostlulz1337