Re: Pentesting a Web Applicaton behind Akamai Technology

["Lee Lawson" <leejlawson () gmail com>]

yes, you will have to explain to the client that the systems they have
pointed you at are not within their responsibility.  This means that
the agreement (which I assume you have) with the client is useless,
and therefore the penetration testing of those systems is illegal
punishable by a minimum of 10 years in jail (depending on which part
of the legislation you get caught on!).

When I arrange pen testing, I have a form that the client fills in and
signs, this includes all the relevant information (points of contact,
target systems etc).  If they have any hosted systems, such as your
scenario, I instruct the client to inform the hosting party and get
their authorisation.  The hosting party sign the agreement too.




On 5/16/07, peter.schaub () thomson com <peter.schaub () thomson com> wrote:
> Hi Greg,
> You should ask the clients for the 'origin' Ips (or DNS names) that
> correlate to the app you are testing.
> Or....
> Try looking up 'origin-sitename.com' or 'origin.sitename.com' somehting
> along those lines if the client will not provide you the direct Ips or
> DNS names of the app.
>
> The origin IP address that the Akamai 'edge' servers (which you are
> currently seeing) connect back to get updated content from the client.
> Akamai is used as a content caching system (among many many other
> things), so their servers will take a bulk of the incoming requests,
> hold the data on their edge servers, serve the content when requested,
> and then will go back and hit the clients origin server, once the time
> to live on a specific object expires, to get new data.
>
> Hope this helps a bit.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of grd () netexpert ch
> Sent: Wednesday, May 16, 2007 9:42 AM
> To: pen-test () securityfocus com
> Subject: Pentesting a Web Applicaton behind Akamai Technology
>
> Hi everybody,
>
>
>
> I'm doing a Pentest on a Web Application for a client. The only
> information I have is the DNS name of the website. After doing the basic
> steps of footprint and enumeration, I found out that the IP adress of
> the website is not in the IP range of the client and is owned by Akamai
> Technology. It means that if I'm going on with the furter steps of
> pentesting, I'll pentest Akamai and not the "real" website of the
> client.
>
>
>
> Is there a way to find the "real" IP address of the website ?
>
>
>
> Has everyone faced this kind of configuration ?
>
>
>
> For information, this is the header of the website when attempting a
> page that doesn't exist :
>
>
>
> HTTP/1.0 400 Bad Request
>
> Server: AkamaiGHost
>
> Mime-Version: 1.0
>
> Content-Type: text/html
>
> Content-Length: 186
>
> Expires: Wed, 16 May 2007 13:39:42 GMT
>
> Date: Wed, 16 May 2007 13:39:42 GMT
>
> Connection: close
>
>
>
> Thanks,
>
>
>
> Greg
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic See HOW Now with our 20/20
> program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------


--
Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------