Re: [PEN-TEST] Load Balancing Servers

[ollie-infosec () HUSHMAIL COM]

Hi,

> That's not entirely true... the problem is more that you cannot select
which
> server you attack.
This may be correct but typically I have found in the past (with exception
of one client) that HTTP application based attacks will hit the same server
due to the client using either source IP stickiness or Cookie stickiness
(Intel/Cisco) due to the way their application functions.

Also alot of clients are kind to you by putting in their httpd.conf the
name of the machine i.e. web01 .... etc so also u need to do is get the
site to generate a 401 and apache (granted by default) will give u the name
they have configured it with so u can test if you are hitting the same servers.

> Assuming that load balancing servers are all mirrors of
> each other, it shouldn't really matter what you test. Find a
> vulnerability/weakness on one server, and you can more or less assume
you
> got the same problem on the mirrors too.

Yeah but there is also the fly-by-night company that could of set the equipment
up and considered setting up the machines different created security though
obscurity (;o)). Also on a more serious note depends if your working with
distributed load balancers that spread across different geo-graphic regions
and are administered by different teams. Assume nothing in my opinion.

Rgds

Ollie