Hi, first, poking around the website is fairly benign as long as any exploits yoo poke at it with are specifically only at forms, CGIs, applets, and scripts for the customer's particular website. It is also up to the client to tell the ISP what he is asking for and it is your job to remind the client of this. You are not to notify the ISP nor get involved in their contract dispute over whether or not they may authorize a security test. You may not test anything that isn't similar to normal web traffic or which may disrupt the other customers hosted on that server or with that ISP. You are restricted to mostly the Information Security Testing modules of the OSSTMM (www.osstmm.org). You must also tell the client that while he is virtually hosted, there is nothing you can do for him in the way of security that can't be undone by the insecurity of other hosts. I don't remember who it was anymore, but one hacker's claim to fame was defacing 900 web pages in a minute-- he broke into a web server and scripted a replce of all the index pages on the server which affected some 900 customers on that server. Sincerely, -pete. www.isecom.org -----Original Message----- From: dented-haloat_private [mailto:dented-haloat_private] Sent: Friday, February 07, 2003 8:01 AM To: pen-testat_private Subject: how to isolate a virtual hosted website, in order to do a A&P? a customer has asked me to take a look at his web page and "poke around", initial investigation shows that it is hosted on a large web hosting companies IP# and is a virtual host off of that IP#. Obviously hammering that main webhosting companies box would be a no no, so how can i focus my security review on that clients specific box? they are using apache, not IIS. Any thoughts? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 06:40:48 PST