Analisis_De_Seguridad-Apache_en_Kali_Lius

Alerts

1. Risk=Medium, Confidence=High (4)

   1. http://localhost (4)

      1. CSP: Failure to Define Directive with No Fallback (1)

         1. GET http://localhost

            Alert tags	OWASP_2021_A05 POLICY_QA_STD = POLICY_PENTEST = SYSTEMIC CWE-693 OWASP_2017_A06 POLICY_DEV_STD =
            Alert description	The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.
            Other info	The directive(s): form-action is/are among the directives that do not fallback to default-src.
            Request	Request line and header section (218 bytes) GET http://localhost HTTP/1.1 host: localhost user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache Request body (0 bytes)
            Response	Status line and header section (717 bytes) HTTP/1.1 200 OK Date: Fri, 24 Oct 2025 15:21:59 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Last-Modified: Sun, 25 Feb 2024 15:55:18 GMT ETag: "29cd-61236d1d67a20" Accept-Ranges: bytes Content-Length: 10701 Vary: Accept-Encoding Content-Type: text/html Response body (10701 bytes) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Apache2 Debian Default Page: It works</title> <style type="text/css" media="screen"> * { margin: 0px 0px 0px 0px; padding: 0px 0px 0px 0px; } body, html { padding: 3px 3px 3px 3px; background-color: #D8DBE2; font-family: Verdana, sans-serif; font-size: 11pt; text-align: center; } div.main_page { position: relative; display: table; width: 800px; margin-bottom: 3px; margin-left: auto; margin-right: auto; padding: 0px 0px 0px 0px; border-width: 2px; border-color: #212738; border-style: solid; background-color: #FFFFFF; text-align: center; } div.page_header { height: 99px; width: 100%; background-color: #F5F6F7; } div.page_header span { margin: 15px 0px 0px 50px; font-size: 180%; font-weight: bold; } div.page_header img { margin: 3px 0px 0px 40px; border: 0px 0px 0px; } div.table_of_contents { clear: left; min-width: 200px; margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.table_of_contents_item { clear: left; width: 100%; margin: 4px 0px 0px 0px; background-color: #FFFFFF; color: #000000; text-align: left; } div.table_of_contents_item a { margin: 6px 0px 0px 6px; } div.content_section { margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.content_section_text { padding: 4px 8px 4px 8px; color: #000000; font-size: 100%; } div.content_section_text pre { margin: 8px 0px 8px 0px; padding: 8px 8px 8px 8px; border-width: 1px; border-style: dotted; border-color: #000000; background-color: #F5F6F7; font-style: italic; } div.content_section_text p { margin-bottom: 6px; } div.content_section_text ul, div.content_section_text li { padding: 4px 8px 4px 16px; } div.section_header { padding: 3px 6px 3px 6px; background-color: #8E9CB2; color: #FFFFFF; font-weight: bold; font-size: 112%; text-align: center; } div.section_header_red { background-color: #CD214F; } div.section_header_grey { background-color: #9F9386; } .floating_element { position: relative; float: left; } div.table_of_contents_item a, div.content_section_text a { text-decoration: none; font-weight: bold; } div.table_of_contents_item a:link, div.table_of_contents_item a:visited, div.table_of_contents_item a:active { color: #000000; } div.table_of_contents_item a:hover { background-color: #000000; color: #FFFFFF; } div.content_section_text a:link, div.content_section_text a:visited, div.content_section_text a:active { background-color: #DCDFE6; color: #000000; } div.content_section_text a:hover { background-color: #000000; color: #DCDFE6; } div.validator { } </style> </head> <body> <div class="main_page"> <div class="page_header floating_element"> <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/> <span class="floating_element"> Apache2 Debian Default Page </span> </div> <!-- <div class="table_of_contents floating_element"> <div class="section_header section_header_grey"> TABLE OF CONTENTS </div> <div class="table_of_contents_item floating_element"> <a href="#about">About</a> </div> <div class="table_of_contents_item floating_element"> <a href="#changes">Changes</a> </div> <div class="table_of_contents_item floating_element"> <a href="#scope">Scope</a> </div> <div class="table_of_contents_item floating_element"> <a href="#files">Config files</a> </div> </div> --> <div class="content_section floating_element"> <div class="section_header section_header_red"> <div id="about"></div> It works! </div> <div class="content_section_text"> <p> This is the default welcome page used to test the correct operation of the Apache2 server after installation on Debian systems. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should <b>replace this file</b> (located at <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server. </p> <p> If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator. </p> </div> <div class="section_header"> <div id="changes"></div> Configuration Overview </div> <div class="content_section_text"> <p> Debian's Apache2 default configuration is different from the upstream default configuration, and split into several files optimized for interaction with Debian tools. The configuration system is <b>fully documented in /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full documentation. Documentation for the web server itself can be found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt> package was installed on this server. </p> <p> The configuration layout for an Apache2 web server installation on Debian systems is as follows: </p> <pre> /etc/apache2/ |-- apache2.conf | `-- ports.conf |-- mods-enabled | |-- *.load | `-- *.conf |-- conf-enabled | `-- *.conf |-- sites-enabled | `-- *.conf </pre> <ul> <li> <tt>apache2.conf</tt> is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server. </li> <li> <tt>ports.conf</tt> is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime. </li> <li> Configuration files in the <tt>mods-enabled/</tt>, <tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively. </li> <li> They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers <tt> a2enmod, a2dismod, </tt> <tt> a2ensite, a2dissite, </tt> and <tt> a2enconf, a2disconf </tt>. See their respective man pages for detailed information. </li> <li> The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>. <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the default configuration. </li> </ul> </div> <div class="section_header"> <div id="docroot"></div> Document Roots </div> <div class="content_section_text"> <p> By default, Debian does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web applications). If your site is using a web document root located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your document root directory in <tt>/etc/apache2/apache2.conf</tt>. </p> <p> The default Debian document root is <tt>/var/www/html</tt>. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box. </p> </div> <div class="section_header"> <div id="bugs"></div> Reporting Problems </div> <div class="content_section_text"> <p> Please use the <tt>reportbug</tt> tool to report bugs in the Apache2 package with Debian. However, check <a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p> Please report bugs specific to modules (such as PHP and others) to respective packages, not to the web server itself. </p> </div> </div> </div> <div class="validator"> </div> </body> </html>
            Parameter	Content-Security-Policy
            Evidence	default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';
            Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

      2. CSP: script-src unsafe-inline (1)

         1. GET http://localhost

            Alert tags	OWASP_2021_A05 POLICY_QA_STD = POLICY_PENTEST = SYSTEMIC CWE-693 OWASP_2017_A06 POLICY_DEV_STD =
            Alert description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
            Other info	script-src includes unsafe-inline.
            Request	Request line and header section (218 bytes) GET http://localhost HTTP/1.1 host: localhost user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache Request body (0 bytes)
            Response	Status line and header section (717 bytes) HTTP/1.1 200 OK Date: Fri, 24 Oct 2025 15:21:59 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Last-Modified: Sun, 25 Feb 2024 15:55:18 GMT ETag: "29cd-61236d1d67a20" Accept-Ranges: bytes Content-Length: 10701 Vary: Accept-Encoding Content-Type: text/html Response body (10701 bytes) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Apache2 Debian Default Page: It works</title> <style type="text/css" media="screen"> * { margin: 0px 0px 0px 0px; padding: 0px 0px 0px 0px; } body, html { padding: 3px 3px 3px 3px; background-color: #D8DBE2; font-family: Verdana, sans-serif; font-size: 11pt; text-align: center; } div.main_page { position: relative; display: table; width: 800px; margin-bottom: 3px; margin-left: auto; margin-right: auto; padding: 0px 0px 0px 0px; border-width: 2px; border-color: #212738; border-style: solid; background-color: #FFFFFF; text-align: center; } div.page_header { height: 99px; width: 100%; background-color: #F5F6F7; } div.page_header span { margin: 15px 0px 0px 50px; font-size: 180%; font-weight: bold; } div.page_header img { margin: 3px 0px 0px 40px; border: 0px 0px 0px; } div.table_of_contents { clear: left; min-width: 200px; margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.table_of_contents_item { clear: left; width: 100%; margin: 4px 0px 0px 0px; background-color: #FFFFFF; color: #000000; text-align: left; } div.table_of_contents_item a { margin: 6px 0px 0px 6px; } div.content_section { margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.content_section_text { padding: 4px 8px 4px 8px; color: #000000; font-size: 100%; } div.content_section_text pre { margin: 8px 0px 8px 0px; padding: 8px 8px 8px 8px; border-width: 1px; border-style: dotted; border-color: #000000; background-color: #F5F6F7; font-style: italic; } div.content_section_text p { margin-bottom: 6px; } div.content_section_text ul, div.content_section_text li { padding: 4px 8px 4px 16px; } div.section_header { padding: 3px 6px 3px 6px; background-color: #8E9CB2; color: #FFFFFF; font-weight: bold; font-size: 112%; text-align: center; } div.section_header_red { background-color: #CD214F; } div.section_header_grey { background-color: #9F9386; } .floating_element { position: relative; float: left; } div.table_of_contents_item a, div.content_section_text a { text-decoration: none; font-weight: bold; } div.table_of_contents_item a:link, div.table_of_contents_item a:visited, div.table_of_contents_item a:active { color: #000000; } div.table_of_contents_item a:hover { background-color: #000000; color: #FFFFFF; } div.content_section_text a:link, div.content_section_text a:visited, div.content_section_text a:active { background-color: #DCDFE6; color: #000000; } div.content_section_text a:hover { background-color: #000000; color: #DCDFE6; } div.validator { } </style> </head> <body> <div class="main_page"> <div class="page_header floating_element"> <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/> <span class="floating_element"> Apache2 Debian Default Page </span> </div> <!-- <div class="table_of_contents floating_element"> <div class="section_header section_header_grey"> TABLE OF CONTENTS </div> <div class="table_of_contents_item floating_element"> <a href="#about">About</a> </div> <div class="table_of_contents_item floating_element"> <a href="#changes">Changes</a> </div> <div class="table_of_contents_item floating_element"> <a href="#scope">Scope</a> </div> <div class="table_of_contents_item floating_element"> <a href="#files">Config files</a> </div> </div> --> <div class="content_section floating_element"> <div class="section_header section_header_red"> <div id="about"></div> It works! </div> <div class="content_section_text"> <p> This is the default welcome page used to test the correct operation of the Apache2 server after installation on Debian systems. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should <b>replace this file</b> (located at <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server. </p> <p> If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator. </p> </div> <div class="section_header"> <div id="changes"></div> Configuration Overview </div> <div class="content_section_text"> <p> Debian's Apache2 default configuration is different from the upstream default configuration, and split into several files optimized for interaction with Debian tools. The configuration system is <b>fully documented in /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full documentation. Documentation for the web server itself can be found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt> package was installed on this server. </p> <p> The configuration layout for an Apache2 web server installation on Debian systems is as follows: </p> <pre> /etc/apache2/ |-- apache2.conf | `-- ports.conf |-- mods-enabled | |-- *.load | `-- *.conf |-- conf-enabled | `-- *.conf |-- sites-enabled | `-- *.conf </pre> <ul> <li> <tt>apache2.conf</tt> is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server. </li> <li> <tt>ports.conf</tt> is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime. </li> <li> Configuration files in the <tt>mods-enabled/</tt>, <tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively. </li> <li> They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers <tt> a2enmod, a2dismod, </tt> <tt> a2ensite, a2dissite, </tt> and <tt> a2enconf, a2disconf </tt>. See their respective man pages for detailed information. </li> <li> The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>. <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the default configuration. </li> </ul> </div> <div class="section_header"> <div id="docroot"></div> Document Roots </div> <div class="content_section_text"> <p> By default, Debian does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web applications). If your site is using a web document root located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your document root directory in <tt>/etc/apache2/apache2.conf</tt>. </p> <p> The default Debian document root is <tt>/var/www/html</tt>. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box. </p> </div> <div class="section_header"> <div id="bugs"></div> Reporting Problems </div> <div class="content_section_text"> <p> Please use the <tt>reportbug</tt> tool to report bugs in the Apache2 package with Debian. However, check <a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p> Please report bugs specific to modules (such as PHP and others) to respective packages, not to the web server itself. </p> </div> </div> </div> <div class="validator"> </div> </body> </html>
            Parameter	Content-Security-Policy
            Evidence	default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';
            Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

      3. CSP: style-src unsafe-inline (1)

         1. GET http://localhost

            Alert tags	OWASP_2021_A05 POLICY_QA_STD = POLICY_PENTEST = SYSTEMIC CWE-693 OWASP_2017_A06 POLICY_DEV_STD =
            Alert description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
            Other info	style-src includes unsafe-inline.
            Request	Request line and header section (218 bytes) GET http://localhost HTTP/1.1 host: localhost user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache Request body (0 bytes)
            Response	Status line and header section (717 bytes) HTTP/1.1 200 OK Date: Fri, 24 Oct 2025 15:21:59 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Last-Modified: Sun, 25 Feb 2024 15:55:18 GMT ETag: "29cd-61236d1d67a20" Accept-Ranges: bytes Content-Length: 10701 Vary: Accept-Encoding Content-Type: text/html Response body (10701 bytes) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Apache2 Debian Default Page: It works</title> <style type="text/css" media="screen"> * { margin: 0px 0px 0px 0px; padding: 0px 0px 0px 0px; } body, html { padding: 3px 3px 3px 3px; background-color: #D8DBE2; font-family: Verdana, sans-serif; font-size: 11pt; text-align: center; } div.main_page { position: relative; display: table; width: 800px; margin-bottom: 3px; margin-left: auto; margin-right: auto; padding: 0px 0px 0px 0px; border-width: 2px; border-color: #212738; border-style: solid; background-color: #FFFFFF; text-align: center; } div.page_header { height: 99px; width: 100%; background-color: #F5F6F7; } div.page_header span { margin: 15px 0px 0px 50px; font-size: 180%; font-weight: bold; } div.page_header img { margin: 3px 0px 0px 40px; border: 0px 0px 0px; } div.table_of_contents { clear: left; min-width: 200px; margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.table_of_contents_item { clear: left; width: 100%; margin: 4px 0px 0px 0px; background-color: #FFFFFF; color: #000000; text-align: left; } div.table_of_contents_item a { margin: 6px 0px 0px 6px; } div.content_section { margin: 3px 3px 3px 3px; background-color: #FFFFFF; text-align: left; } div.content_section_text { padding: 4px 8px 4px 8px; color: #000000; font-size: 100%; } div.content_section_text pre { margin: 8px 0px 8px 0px; padding: 8px 8px 8px 8px; border-width: 1px; border-style: dotted; border-color: #000000; background-color: #F5F6F7; font-style: italic; } div.content_section_text p { margin-bottom: 6px; } div.content_section_text ul, div.content_section_text li { padding: 4px 8px 4px 16px; } div.section_header { padding: 3px 6px 3px 6px; background-color: #8E9CB2; color: #FFFFFF; font-weight: bold; font-size: 112%; text-align: center; } div.section_header_red { background-color: #CD214F; } div.section_header_grey { background-color: #9F9386; } .floating_element { position: relative; float: left; } div.table_of_contents_item a, div.content_section_text a { text-decoration: none; font-weight: bold; } div.table_of_contents_item a:link, div.table_of_contents_item a:visited, div.table_of_contents_item a:active { color: #000000; } div.table_of_contents_item a:hover { background-color: #000000; color: #FFFFFF; } div.content_section_text a:link, div.content_section_text a:visited, div.content_section_text a:active { background-color: #DCDFE6; color: #000000; } div.content_section_text a:hover { background-color: #000000; color: #DCDFE6; } div.validator { } </style> </head> <body> <div class="main_page"> <div class="page_header floating_element"> <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/> <span class="floating_element"> Apache2 Debian Default Page </span> </div> <!-- <div class="table_of_contents floating_element"> <div class="section_header section_header_grey"> TABLE OF CONTENTS </div> <div class="table_of_contents_item floating_element"> <a href="#about">About</a> </div> <div class="table_of_contents_item floating_element"> <a href="#changes">Changes</a> </div> <div class="table_of_contents_item floating_element"> <a href="#scope">Scope</a> </div> <div class="table_of_contents_item floating_element"> <a href="#files">Config files</a> </div> </div> --> <div class="content_section floating_element"> <div class="section_header section_header_red"> <div id="about"></div> It works! </div> <div class="content_section_text"> <p> This is the default welcome page used to test the correct operation of the Apache2 server after installation on Debian systems. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should <b>replace this file</b> (located at <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server. </p> <p> If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator. </p> </div> <div class="section_header"> <div id="changes"></div> Configuration Overview </div> <div class="content_section_text"> <p> Debian's Apache2 default configuration is different from the upstream default configuration, and split into several files optimized for interaction with Debian tools. The configuration system is <b>fully documented in /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full documentation. Documentation for the web server itself can be found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt> package was installed on this server. </p> <p> The configuration layout for an Apache2 web server installation on Debian systems is as follows: </p> <pre> /etc/apache2/ |-- apache2.conf | `-- ports.conf |-- mods-enabled | |-- *.load | `-- *.conf |-- conf-enabled | `-- *.conf |-- sites-enabled | `-- *.conf </pre> <ul> <li> <tt>apache2.conf</tt> is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server. </li> <li> <tt>ports.conf</tt> is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime. </li> <li> Configuration files in the <tt>mods-enabled/</tt>, <tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively. </li> <li> They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers <tt> a2enmod, a2dismod, </tt> <tt> a2ensite, a2dissite, </tt> and <tt> a2enconf, a2disconf </tt>. See their respective man pages for detailed information. </li> <li> The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>. <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the default configuration. </li> </ul> </div> <div class="section_header"> <div id="docroot"></div> Document Roots </div> <div class="content_section_text"> <p> By default, Debian does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web applications). If your site is using a web document root located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your document root directory in <tt>/etc/apache2/apache2.conf</tt>. </p> <p> The default Debian document root is <tt>/var/www/html</tt>. You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box. </p> </div> <div class="section_header"> <div id="bugs"></div> Reporting Problems </div> <div class="content_section_text"> <p> Please use the <tt>reportbug</tt> tool to report bugs in the Apache2 package with Debian. However, check <a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p> Please report bugs specific to modules (such as PHP and others) to respective packages, not to the web server itself. </p> </div> </div> </div> <div class="validator"> </div> </body> </html>
            Parameter	Content-Security-Policy
            Evidence	default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';
            Solution	Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

      4. Hidden File Found (1)

         1. GET http://localhost/server-status

            Alert tags	OWASP_2021_A05 POLICY_QA_FULL = POLICY_PENTEST = CWE-538 WSTG-v42-CONF-05 OWASP_2017_A06
            Alert description	A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.
            Other info	apache_server_status
            Request	Request line and header section (232 bytes) GET http://localhost/server-status HTTP/1.1 host: localhost user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache Request body (0 bytes)
            Response	Status line and header section (640 bytes) HTTP/1.1 200 OK Date: Fri, 24 Oct 2025 15:23:26 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Vary: Accept-Encoding Content-Length: 4756 Content-Type: text/html; charset=ISO-8859-1 Response body (4756 bytes) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <title>Apache Status</title> </head><body> <h1>Apache Server Status for localhost (via 127.0.0.1)</h1> <dl><dt>Server Version: Apache/2.4.58 (Debian)</dt> <dt>Server MPM: prefork</dt> <dt>Server Built: 2024-01-05T17:42:09 </dt></dl><hr /><dl> <dt>Current Time: Friday, 24-Oct-2025 11:23:26 EDT</dt> <dt>Restart Time: Friday, 24-Oct-2025 11:21:41 EDT</dt> <dt>Parent Server Config. Generation: 1</dt> <dt>Parent Server MPM Generation: 0</dt> <dt>Server uptime: 1 minute 45 seconds</dt> <dt>Server load: 4.97 1.86 0.83</dt> <dt>Total accesses: 700 - Total Traffic: 1012 kB - Total Duration: 277</dt> <dt>CPU Usage: u.04 s.03 cu0 cs0 - .0667% CPU load</dt> <dt>6.67 requests/sec - 9.6 kB/second - 1480 B/request - .395714 ms/request</dt> <dt>3 requests currently being processed, 0 workers gracefully restarting, 5 idle workers</dt> </dl><pre>___W__KK........................................................ ................................................................ ......................</pre> <p>Scoreboard Key:<br /> "<b><code>_</code></b>" Waiting for Connection, "<b><code>S</code></b>" Starting up, "<b><code>R</code></b>" Reading Request,<br /> "<b><code>W</code></b>" Sending Reply, "<b><code>K</code></b>" Keepalive (read), "<b><code>D</code></b>" DNS Lookup,<br /> "<b><code>C</code></b>" Closing connection, "<b><code>L</code></b>" Logging, "<b><code>G</code></b>" Gracefully finishing,<br /> "<b><code>I</code></b>" Idle cleanup of worker, "<b><code>.</code></b>" Open slot with no current process<br /> </p> <table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU </th><th>SS</th><th>Req</th><th>Dur</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>Protocol</th><th>VHost</th><th>Request</th></tr> <tr><td><b>0-0</b></td><td>8300</td><td>0/12/12</td><td>_ </td><td>0.00</td><td>29</td><td>0</td><td>50</td><td>0.0</td><td>0.02</td><td>0.02 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /etc/apache2?name=abc HTTP/1.1</td></tr> <tr><td><b>1-0</b></td><td>8301</td><td>0/55/55</td><td>_ </td><td>0.00</td><td>9</td><td>0</td><td>63</td><td>0.0</td><td>0.12</td><td>0.12 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /var/www?name=abc HTTP/1.1</td></tr> <tr><td><b>2-0</b></td><td>8302</td><td>0/174/174</td><td>_ </td><td>0.02</td><td>3</td><td>0</td><td>37</td><td>0.0</td><td>0.22</td><td>0.22 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /etc HTTP/1.1</td></tr> <tr><td><b>3-0</b></td><td>8303</td><td>52/153/153</td><td><b>W</b> </td><td>0.01</td><td>0</td><td>0</td><td>38</td><td>95.6</td><td>0.21</td><td>0.21 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /server-status HTTP/1.1</td></tr> <tr><td><b>4-0</b></td><td>8304</td><td>0/112/112</td><td>_ </td><td>0.01</td><td>6</td><td>0</td><td>35</td><td>0.0</td><td>0.17</td><td>0.17 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /var/www,?name=abc HTTP/1.1</td></tr> <tr><td><b>5-0</b></td><td>8461</td><td>0/102/102</td><td>_ </td><td>0.01</td><td>1</td><td>0</td><td>26</td><td>0.0</td><td>0.14</td><td>0.14 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /icons HTTP/1.1</td></tr> <tr><td><b>6-0</b></td><td>8473</td><td>1/6/6</td><td><b>K</b> </td><td>0.00</td><td>0</td><td>0</td><td>1</td><td>1.1</td><td>0.03</td><td>0.03 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /usr/share/doc/apache2/.htaccess HTTP/1.1</td></tr> <tr><td><b>7-0</b></td><td>8474</td><td>85/86/86</td><td><b>K</b> </td><td>0.01</td><td>0</td><td>0</td><td>25</td><td>88.0</td><td>0.10</td><td>0.10 </td><td>127.0.0.1</td><td>http/1.1</td><td nowrap>127.0.1.1:80</td><td nowrap>GET /actuator/health HTTP/1.1</td></tr> </table> <hr /> <table> <tr><th>Srv</th><td>Child Server number - generation</td></tr> <tr><th>PID</th><td>OS process ID</td></tr> <tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr> <tr><th>M</th><td>Mode of operation</td></tr> <tr><th>CPU</th><td>CPU usage, number of seconds</td></tr> <tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr> <tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr> <tr><th>Dur</th><td>Sum of milliseconds required to process all requests</td></tr> <tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr> <tr><th>Child</th><td>Megabytes transferred this child</td></tr> <tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr> </table> </body></html>
            Evidence	HTTP/1.1 200 OK
            Solution	Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.