Impact of port scanning on the web domain itself

Question

I was learning about port scanning and I understand, what, why and how. However, I do not understand why a Bug Bounty hunter or a penetration tester (strictly for web app assessment) would run a port scan on a web domain.

Let's say through SSRF - Someone is able to do an internal port scan and even find open ports. The potential damage would be on the server itself right? if a vulnerable service is running on open ports and it's possible that the domain is hosted on a 3rd party hosting service, so what's the damage to the domain itself?

The only damage I can think of is the server getting owned completely, hence the domain being damaged but is there any other reason?

Answer 1

A domain is just a pointer, it can point to another domain, or to an IP address. Port scanning a domain is like port scanning on an IP. Some domains will have a server farm serving web content, some will have different IP addresses depending on the geographical origin of the request, but in the end it's just an IP.

The potential damage will depend on a lot of factors: is the web content served inside or outside of the organization? Does the server host other services (like email, databases)? How is the security perimeter around this server?

Sometimes the webserver is not even the final target. The server may host other services (code repository, database, an internal portal) and scanning the IP behind the domain may let the attacker discover those services.

The only damage I can think of is the server getting owned completely

Owning the server completely could not be the worst. Slightly owning the server, while collecting all credentials and poisoning responses would be worse. A defaced server gets notices pretty fast, is taken down and recreated. It would take a lot longer to detect a slightly modified server that injects javascript depending on the client IP (or the referrer, or OS) or stores credentials on a legit file that is never linked outside.