Penetration Testing mailing list archives
RE: Pen testing a off-site web server
From: "Graham, Randy (RAW) " <RAW () y12 doe gov>
Date: Tue, 22 May 2001 11:28:39 -0400
First thing you should do is check your contract with the hosting company. Many hosts now expressly forbid such tests, or at the very least require you to notify them in advance. Furthermore, even though the host you are testing is yours in a ethereal sense, the physical equipment belongs to the hosting company and any testing you do can legitimately be construed as an attack. That puts you in a big old boiling pot of hot water if you don't have permission in advance. I've never been involved in such a test so I don't actually know what will happen if you do it, but I would strongly recommend you not initiate the pen-test without permission from the hosting company (and get permission in writing from a person or two or three very high up in the hosting organization). Standard legal disclaimer - I am not a lawyer and the above is only my best guess thinking on the situation. Randy Graham -- You're kind of trying to pick between "horible disaster" and "attrocious disaster" -- Paul D. Robertson (on VNC vs. PPTP)
-----Original Message----- From: Franklin DeMatto [mailto:franklin () qDefense com] Sent: Sunday, May 20, 2001 4:42 PM To: pen-test () securityfocus com Subject: Pen testing a off-site web server Anyone know how to handle the legal/bueracratic aspects of pen-testing a web server which is not in-house, but property of a hosting company?? The hosting company may not take lightly to suggestions that it may be vulnerable, and may be afraid of damage caused by a test. Worse, if the server is not dedicated, but rather uses virtual hosts, other clients could be affected by the testing. Any real-world advice, forms, paperwork, or legal info. would be appreciated. Franklin DeMatto franklin () qDefense com qDefense - DEFENDING THE ELECTRONIC FRONTIER
Current thread:
- Pen testing a off-site web server Franklin DeMatto (May 22)
- Re: Pen testing a off-site web server Meritt James (May 22)
- Re: Pen testing a off-site web server batz (May 22)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- RE: Pen testing a off-site web server Mike Forrester (May 31)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- <Possible follow-ups>
- RE: Pen testing a off-site web server Graham, Randy (RAW) (May 22)