From: Martin Walker (Martin.Walker@ctg.com)
Date: Wed Feb 12 2003 - 09:37:06 EST
while I agree somewhat with some of the specifics I disagree strongly with the main implication.
the main implication of this email is that "it's OK to test the clients web site on a hosted system as long as the client requests it"
uh uh. you have no agreement with the hosting company and that's the box/application you are testing. makes no difference if the customer of hosting company has asked you to do it UNLESS that privilege is specifically granted to the client in their agreement with the hosting company. In my experience this is highly unlikely to say the least. Doesn't matter how "benign" the tests. If you are attempting to hack the box the hosting company can chase you (and in my opinion should).
Does your client proivide you with an "indemnify and hold harmless" clause in your written contract with them? does it specifically address this area? I'll bet not. Even if they do, the hosting company can still come after you, at best indemnify and hold harmless will just make the client pay your legal costs and any civil damages and will not help at all in a criminal case.
It *IS* your repsonsibility to ensure that your ass is covered. That means written agreement between all three parties describing what will and will not be done by each of the parties.
>first, poking around the website is fairly benign as long as any exploits
>yoo poke at it with are specifically only at forms, CGIs, applets, and
>scripts for the customer's particular website.
NOPE. The application and the platform itself are at the hosting company, on their network and are their business. If they catch you and their policy is to pursue for criminal or civil damages an agreement with your client makes no difference. It's almost like you and me having an agreement that its ok to hack Mitnicks site.
>It is also up to the client to tell the ISP what he is asking for and it is
>your job to remind the client of this. You are not to notify the ISP nor
yeah, well the client may not be able to "tell" the isp anything. typically these relationships are governed by contract language. Most IT shops are really terrible about negotiating agreements and don't know how to read or write contract language. Typically legal departments only know enough about IT operations to make sure the contract is binding *NOT* that it lets you do what you want. The results? Vendor paper is completely one-sided and biased. I have never seen any standard vendor paper that lets any arbitrary person attack the hosting site regardless of any other agreeements.
and lets be clear here, there is NO difference between an attack and a security test other than the intent. Certainly no difference that an ISP cares about when you threaten their business.
>get involved in their contract dispute over whether or not they may
>authorize a security test. You may not test anything that isn't similar to
>normal web traffic or which may disrupt the other customers hosted on that
>server or with that ISP. You are restricted to mostly the Information
>Security Testing modules of the OSSTMM (www.osstmm.org).
while it is not your business to get in a contract dispute it is your business to ensure that what you are doing is legal. that means that you need to have been granted the responsibility and authoriity for performing the tests BY AN ENTITY THAT HAS THE LEGAL RIGHT TO GRANT SAID AUTHORITY. If the agreement between the ISP and client does not grant your client that authority specifically, you have no legal basis for conducting the test.
>You must also tell the client that while he is virtually hosted, there is
>nothing you can do for him in the way of security that can't be undone by
>the insecurity of other hosts. I don't remember who it was anymore, but one
>hacker's claim to fame was defacing 900 web pages in a minute-- he broke
>into a web server and scripted a replce of all the index pages on the server
>which affected some 900 customers on that server.
right on!
>-pete.
>www.isecom.org
-----Original Message-----
From: dented-halo@hushmail.com [mailto:dented-halo@hushmail.com]
Sent: Friday, February 07, 2003 8:01 AM
To: pen-test@securityfocus.com
Subject: how to isolate a virtual hosted website, in order to do a A&P?
a customer has asked me to take a look at his web page and "poke around",
initial investigation shows that it is hosted on a large web hosting
companies IP# and is a virtual host off of that IP#.
Obviously hammering that main webhosting companies box would be a no no,
so how can i focus my security review on that clients specific box?
they are using apache, not IIS.
Any thoughts?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT