Penetration Testing mailing list archives
Re: Pen testing a off-site web server
From: "Meritt James" <meritt_james () bah com>
Date: Tue, 22 May 2001 11:10:48 -0400
You should get the OK from the hosting company - in writing - before you begin. You might not be able to legally continue in the first place. While the SERVICE is out-sourced, the non-resident company owns the hardware, as well as the routers leading to it and you may NOT be allowed to scan that (which actions may be deemed an intrusion by the hosting company). What is in the contract you have with them (the hosted company with the hosting company) that may cover this contingency? V/R Jim Franklin DeMatto wrote:
Anyone know how to handle the legal/bueracratic aspects of pen-testing a web server which is not in-house, but property of a hosting company?? The hosting company may not take lightly to suggestions that it may be vulnerable, and may be afraid of damage caused by a test. Worse, if the server is not dedicated, but rather uses virtual hosts, other clients could be affected by the testing. Any real-world advice, forms, paperwork, or legal info. would be appreciated. Franklin DeMatto franklin () qDefense com qDefense - DEFENDING THE ELECTRONIC FRONTIER
-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
Current thread:
- Pen testing a off-site web server Franklin DeMatto (May 22)
- Re: Pen testing a off-site web server Meritt James (May 22)
- Re: Pen testing a off-site web server batz (May 22)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- RE: Pen testing a off-site web server Mike Forrester (May 31)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- <Possible follow-ups>
- RE: Pen testing a off-site web server Graham, Randy (RAW) (May 22)