RE: how to isolate a virtual hosted website, in order to do a A&P?

From: Pete Herzog (lists@isecom.org)
Date: Tue Feb 11 2003 - 03:48:22 EST

• Next message: Andres Martinez: "Vulnebrability level definition"
• Previous message: Jacek Lipkowski: "RE: PBX Security"
• In reply to: dented-halo@hushmail.com: "how to isolate a virtual hosted website, in order to do a A&P?"
• Next in thread: Martin Walker: "RE: how to isolate a virtual hosted website, in order to do a A&P?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

first, poking around the website is fairly benign as long as any exploits
yoo poke at it with are specifically only at forms, CGIs, applets, and
scripts for the customer's particular website.

It is also up to the client to tell the ISP what he is asking for and it is
your job to remind the client of this. You are not to notify the ISP nor
get involved in their contract dispute over whether or not they may
authorize a security test. You may not test anything that isn't similar to
normal web traffic or which may disrupt the other customers hosted on that
server or with that ISP. You are restricted to mostly the Information
Security Testing modules of the OSSTMM (www.osstmm.org).

You must also tell the client that while he is virtually hosted, there is
nothing you can do for him in the way of security that can't be undone by
the insecurity of other hosts. I don't remember who it was anymore, but one
hacker's claim to fame was defacing 900 web pages in a minute-- he broke
into a web server and scripted a replce of all the index pages on the server
which affected some 900 customers on that server.

Sincerely,

-pete.
www.isecom.org

-----Original Message-----
From: dented-halo@hushmail.com [mailto:dented-halo@hushmail.com]
Sent: Friday, February 07, 2003 8:01 AM
To: pen-test@securityfocus.com
Subject: how to isolate a virtual hosted website, in order to do a A&P?

a customer has asked me to take a look at his web page and "poke around",
initial investigation shows that it is hosted on a large web hosting
companies IP# and is a virtual host off of that IP#.

Obviously hammering that main webhosting companies box would be a no no,
so how can i focus my security review on that clients specific box?

they are using apache, not IIS.

Any thoughts?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Andres Martinez: "Vulnebrability level definition"
• Previous message: Jacek Lipkowski: "RE: PBX Security"
• In reply to: dented-halo@hushmail.com: "how to isolate a virtual hosted website, in order to do a A&P?"
• Next in thread: Martin Walker: "RE: how to isolate a virtual hosted website, in order to do a A&P?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT