Apache HTTP Server¶
Information
Category: Web Server
Tags: 'web' 'http' 'apache'
Criticality: 🔴 High
Description¶
Apache HTTP Server is a free and open-source cross-platform web server software. It is one of the most widely used web servers globally. Identifying its configuration files during a pentest is critical for discovering virtual hosts, finding hidden directories, and identifying misconfigurations like enabled directory listing or server status pages.
Configuration Files¶
Log Files¶
# Debian/Ubuntu
/var/log/apache2/access.log
/var/log/apache2/error.log
# RedHat/CentOS
/var/log/httpd/access_log
/var/log/httpd/error_log
# Windows (XAMPP example)
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
# macOS
/var/log/apache2/access_log
/var/log/apache2/error_log
Sensitive Files¶
Credentials and sensitive data
The following files may contain critical information:
.htaccess- Per-directory configuration file, can override main config.htpasswd- Stores usernames and passwords for Basic Authentication/etc/apache2/envvars- Environment variables, might contain sensitive data
Backup files
Don't forget to check for backups:
httpd.conf.bakapache2.conf.old*.conf.save
Data Directories¶
# Default Web Root (Debian/Ubuntu)
/var/www/html/
# Default Web Root (RedHat/CentOS)
/var/www/html/
# XAMPP / WAMP Default
C:\xampp\htdocs\
C:\wamp64\www\
# macOS Default
/Library/WebServer/Documents/
Pentest Tips¶
Reconnaissance
- Identify Version: Check HTTP response headers (
Server: Apache/2.4.41) or default error pages. - Server Status: Check if
mod_statusis enabled by navigating to/server-statusor/server-info.
Enumeration
- Look for exposed
.htaccessfiles which can reveal internal paths and configurations. - Search configuration files for
Require all granted,Options +Indexes(directory listing enabled), or alias/proxy configurations.
Exploitation
- Exploit LFI (Local File Inclusion) to read
/etc/apache2/apache2.confor/etc/apache2/sites-enabled/000-default.confto discover other internal endpoints. - Read
.htpasswdfiles via LFI and crack them using John the Ripper or Hashcat.
Useful Commands¶
# Check if service is running
systemctl status apache2 # Debian/Ubuntu
systemctl status httpd # RHEL/CentOS
# Test configuration syntax
apache2ctl configtest
apachectl -t
# Display virtual hosts
apache2ctl -S
httpd -S
# Display compiled modules
apache2ctl -M
# Find all .htaccess files
find /var/www/ -name ".htaccess"
# Read real-time access logs
tail -f /var/log/apache2/access.log
Hardening¶
Best practices
- Disable directory listing (
Options -Indexes). - Hide server version by setting
ServerTokens ProdandServerSignature Off. - Disable unnecessary modules to reduce the attack surface.
- Restrict access to
/server-status. - Run Apache as a non-privileged user (e.g.,
www-data).
Metadata¶
- Template version: 1.0
- Last updated: 2026-04
- Contributor: AI Assistant
- Sources verified: Yes