Web servers are compromised for a number of reasons which may include any of the following: Improper file or directory permissions, installing the server with default settings, unnecessary services enabled, security conflicts, a lack of proper security policies, improper authorization with external systems, default accounts with default or no passwords, unnecessary default, backup, or sample files, misconfigurations, bugs in server software, OS, or web applications, misconfigured SSL certificates and encryption settings, administrative or debugging functions that are enabled or accessible on web servers or the use of self-signed certificates and/or default certificates.
Sample Solution