Penetration Testing mailing list archives
RE: Pentesting a Web Applicaton behind Akamai Technology
From: <peter.schaub () thomson com>
Date: Wed, 16 May 2007 14:51:26 -0400
Hi Greg, You should ask the clients for the 'origin' Ips (or DNS names) that correlate to the app you are testing. Or.... Try looking up 'origin-sitename.com' or 'origin.sitename.com' somehting along those lines if the client will not provide you the direct Ips or DNS names of the app. The origin IP address that the Akamai 'edge' servers (which you are currently seeing) connect back to get updated content from the client. Akamai is used as a content caching system (among many many other things), so their servers will take a bulk of the incoming requests, hold the data on their edge servers, serve the content when requested, and then will go back and hit the clients origin server, once the time to live on a specific object expires, to get new data. Hope this helps a bit. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of grd () netexpert ch Sent: Wednesday, May 16, 2007 9:42 AM To: pen-test () securityfocus com Subject: Pentesting a Web Applicaton behind Akamai Technology Hi everybody, I'm doing a Pentest on a Web Application for a client. The only information I have is the DNS name of the website. After doing the basic steps of footprint and enumeration, I found out that the IP adress of the website is not in the IP range of the client and is owned by Akamai Technology. It means that if I'm going on with the furter steps of pentesting, I'll pentest Akamai and not the "real" website of the client. Is there a way to find the "real" IP address of the website ? Has everyone faced this kind of configuration ? For information, this is the header of the website when attempting a page that doesn't exist : HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 186 Expires: Wed, 16 May 2007 13:39:42 GMT Date: Wed, 16 May 2007 13:39:42 GMT Connection: close Thanks, Greg ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting a Web Applicaton behind Akamai Technology grd (May 16)
- RE: Pentesting a Web Applicaton behind Akamai Technology peter.schaub (May 16)
- Re: Pentesting a Web Applicaton behind Akamai Technology Lee Lawson (May 17)
- Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (May 31)
- Re: Pentesting a Web Applicaton Ed Hottle (May 31)
- Re: Pentesting a Web Applicaton Anders Thulin (May 31)
- RE: Pentesting a Web Applicaton Erin Carroll (May 31)
- Re: Pentesting a Web Applicaton behind Akamai Technology Lee Lawson (May 17)
- RE: Pentesting a Web Applicaton behind Akamai Technology peter.schaub (May 16)
- Re: Pentesting a Web Applicaton behind Akamai Technology Dotzero (May 17)