RE: Pentesting a Web Applicaton behind Akamai Technology

From: peter.schaub@thomson.com
Date: Wed May 16 2007 - 14:51:26 EDT

• Next message: Jason Chambers: "Re: Sneaking a peek on Wlan in airports"
• Previous message: Shenk, Jerry A: "RE: Sneaking a peek on Wlan in airports"
• In reply to: grd@netexpert.ch: "Pentesting a Web Applicaton behind Akamai Technology"
• Next in thread: Lee Lawson: "Re: Pentesting a Web Applicaton behind Akamai Technology"
• Reply: Lee Lawson: "Re: Pentesting a Web Applicaton behind Akamai Technology"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Greg,
You should ask the clients for the 'origin' Ips (or DNS names) that
correlate to the app you are testing.
Or....
Try looking up 'origin-sitename.com' or 'origin.sitename.com' somehting
along those lines if the client will not provide you the direct Ips or
DNS names of the app.

The origin IP address that the Akamai 'edge' servers (which you are
currently seeing) connect back to get updated content from the client.
Akamai is used as a content caching system (among many many other
things), so their servers will take a bulk of the incoming requests,
hold the data on their edge servers, serve the content when requested,
and then will go back and hit the clients origin server, once the time
to live on a specific object expires, to get new data.

Hope this helps a bit.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of grd@netexpert.ch
Sent: Wednesday, May 16, 2007 9:42 AM
To: pen-test@securityfocus.com
Subject: Pentesting a Web Applicaton behind Akamai Technology

Hi everybody,

I'm doing a Pentest on a Web Application for a client. The only
information I have is the DNS name of the website. After doing the basic
steps of footprint and enumeration, I found out that the IP adress of
the website is not in the IP range of the client and is owned by Akamai
Technology. It means that if I'm going on with the furter steps of
pentesting, I'll pentest Akamai and not the "real" website of the
client.

Is there a way to find the "real" IP address of the website ?

Has everyone faced this kind of configuration ?

For information, this is the header of the website when attempting a
page that doesn't exist :

HTTP/1.0 400 Bad Request

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 186

Expires: Wed, 16 May 2007 13:39:42 GMT

Date: Wed, 16 May 2007 13:39:42 GMT

Connection: close

Thanks,

Greg

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with our 20/20
program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Jason Chambers: "Re: Sneaking a peek on Wlan in airports"
• Previous message: Shenk, Jerry A: "RE: Sneaking a peek on Wlan in airports"
• In reply to: grd@netexpert.ch: "Pentesting a Web Applicaton behind Akamai Technology"
• Next in thread: Lee Lawson: "Re: Pentesting a Web Applicaton behind Akamai Technology"
• Reply: Lee Lawson: "Re: Pentesting a Web Applicaton behind Akamai Technology"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT