Penetration Testing mailing list archives
Re: how to isolate a virtual hosted website, in order to do a A&P?
From: Josh Richards <jrichard () digitalwest net>
Date: Mon, 10 Feb 2003 17:21:00 -0800
* dented-halo () hushmail com <dented-halo () hushmail com> [20030210 16:16]:
a customer has asked me to take a look at his web page and "poke around", initial investigation shows that it is hosted on a large web hosting companies IP# and is a virtual host off of that IP#.
Everything after the words "shows that.." is probably the first 50% of your security review. If the site is virtually hosted there's only so much that it can be secured. Even if your client is quite security conscious in all aspects of the code on his individual web site he's still got to worry about every other one of the web hosting company's customers on that box.
Obviously hammering that main webhosting companies box would be a no no, so how can i focus my security review on that clients specific box?
That's the problem -- there is no "client specific box" if it is virtually hosted. :)
they are using apache, not IIS. Any thoughts?
I think you've already completed over half of your security review for this client. :) -jr -- Josh Richards - <jrichard _at_ digitalwest.net> Digital West Networks, Inc. - http://www.digitalwest.net San Luis Obispo, CA 93401 - phone://+1-{888,805}-781-9378 DWNI - Making Internet Business Better ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- how to isolate a virtual hosted website, in order to do a A&P? dented-halo (Feb 10)
- Re: how to isolate a virtual hosted website, in order to do a A&P? Josh Richards (Feb 10)
- RE: how to isolate a virtual hosted website, in order to do a A&P? Pete Herzog (Feb 11)
- <Possible follow-ups>
- RE: how to isolate a virtual hosted website, in order to do a A&P? Martin Walker (Feb 12)