![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: Pentesting a Web Applicaton behind Akamai Technology
From: "Lee Lawson" <leejlawson () gmail com>
Date: Thu, 17 May 2007 08:33:11 +0100
yes, you will have to explain to the client that the systems they have pointed you at are not within their responsibility. This means that the agreement (which I assume you have) with the client is useless, and therefore the penetration testing of those systems is illegal punishable by a minimum of 10 years in jail (depending on which part of the legislation you get caught on!). When I arrange pen testing, I have a form that the client fills in and signs, this includes all the relevant information (points of contact, target systems etc). If they have any hosted systems, such as your scenario, I instruct the client to inform the hosting party and get their authorisation. The hosting party sign the agreement too. On 5/16/07, peter.schaub () thomson com <peter.schaub () thomson com> wrote:
Hi Greg, You should ask the clients for the 'origin' Ips (or DNS names) that correlate to the app you are testing. Or.... Try looking up 'origin-sitename.com' or 'origin.sitename.com' somehting along those lines if the client will not provide you the direct Ips or DNS names of the app. The origin IP address that the Akamai 'edge' servers (which you are currently seeing) connect back to get updated content from the client. Akamai is used as a content caching system (among many many other things), so their servers will take a bulk of the incoming requests, hold the data on their edge servers, serve the content when requested, and then will go back and hit the clients origin server, once the time to live on a specific object expires, to get new data. Hope this helps a bit. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of grd () netexpert ch Sent: Wednesday, May 16, 2007 9:42 AM To: pen-test () securityfocus com Subject: Pentesting a Web Applicaton behind Akamai Technology Hi everybody, I'm doing a Pentest on a Web Application for a client. The only information I have is the DNS name of the website. After doing the basic steps of footprint and enumeration, I found out that the IP adress of the website is not in the IP range of the client and is owned by Akamai Technology. It means that if I'm going on with the furter steps of pentesting, I'll pentest Akamai and not the "real" website of the client. Is there a way to find the "real" IP address of the website ? Has everyone faced this kind of configuration ? For information, this is the header of the website when attempting a page that doesn't exist : HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 186 Expires: Wed, 16 May 2007 13:39:42 GMT Date: Wed, 16 May 2007 13:39:42 GMT Connection: close Thanks, Greg ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
-- Lee J Lawson leejlawson () gmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting a Web Applicaton behind Akamai Technology grd (May 16)
- RE: Pentesting a Web Applicaton behind Akamai Technology peter.schaub (May 16)
- Re: Pentesting a Web Applicaton behind Akamai Technology Lee Lawson (May 17)
- Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (May 31)
- Re: Pentesting a Web Applicaton Ed Hottle (May 31)
- Re: Pentesting a Web Applicaton Anders Thulin (May 31)
- RE: Pentesting a Web Applicaton Erin Carroll (May 31)
- Re: Pentesting a Web Applicaton behind Akamai Technology Lee Lawson (May 17)
- RE: Pentesting a Web Applicaton behind Akamai Technology peter.schaub (May 16)
- Re: Pentesting a Web Applicaton behind Akamai Technology Dotzero (May 17)