Information Gathering / Default Apache Web Page
##Description Default Apache Web Page vulnerability is an attack technique that occurs in web and API applications and is categorized as Information Gathering. This vulnerability is identified as CWE-598 and is defined as an attack that occurs when the attacker can access the default Apache web page on a target web server. This web page can provide information about the web server, such as the version of Apache used and the list of installed modules. This information can be used to identify the server’s vulnerabilities and to plan an attack. As per the OWASP Testing Guide, an attacker can access the default Apache web page to enumerate the applications and services running on the server, and also to identify weaknesses in the web server configuration.
##Risk This vulnerability can result in a severe risk to an organization as the attacker can gain access to sensitive information about the web server, such as the version of Apache used, the list of installed modules, and the web server configuration. This information can be used to identify weaknesses in the web server configuration and to plan an attack. Additionally, the attacker can use this information to exploit the web server and gain access to the application, databases, and internal networks.
##Solution The best way to protect against this vulnerability is to secure the default Apache web page by disabling directory listing and adding a secure access control. Additionally, organizations should also deploy data encryption and patch management best practices to ensure that the web server is up to date and secure.
##Example Below is an example of how to disable directory listing in Apache: