RE: Pen testing a off-site web server

["Graham, Randy (RAW) " <RAW () y12 doe gov>]

First thing you should do is check your contract with the hosting company.
Many hosts now expressly forbid such tests, or at the very least require you
to notify them in advance.  Furthermore, even though the host you are
testing is yours in a ethereal sense, the physical equipment belongs to the
hosting company and any testing you do can legitimately be construed as an
attack.  That puts you in a big old boiling pot of hot water if you don't
have permission in advance.  I've never been involved in such a test so I
don't actually know what will happen if you do it, but I would strongly
recommend you not initiate the pen-test without permission from the hosting
company (and get permission in writing from a person or two or three very
high up in the hosting organization).

Standard legal disclaimer - I am not a lawyer and the above is only my best
guess thinking on the situation.

Randy Graham
-- 
You're kind of trying to pick between "horible disaster" and "attrocious
disaster"  -- Paul D. Robertson (on VNC vs. PPTP)

> -----Original Message-----
> From: Franklin DeMatto [mailto:franklin () qDefense com]
> Sent: Sunday, May 20, 2001 4:42 PM
> To: pen-test () securityfocus com
> Subject: Pen testing a off-site web server
>
>
> Anyone know how to handle the legal/bueracratic aspects of 
> pen-testing a web server which is not in-house, but property 
> of a hosting company??
>
> The hosting company may not take lightly to suggestions that 
> it may be vulnerable, and may be afraid of damage caused by a 
> test.  Worse, if the server is not dedicated, but rather uses 
> virtual hosts, other clients could be affected by the testing.
>
> Any real-world advice, forms, paperwork, or legal info. would 
> be appreciated.
>
> Franklin DeMatto
> franklin () qDefense com
> qDefense - DEFENDING THE ELECTRONIC FRONTIER