Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Pen testing a off-site web server

Re: Pen testing a off-site web server

From: Meritt James <meritt_james_at_bah.com>
Date: Tue, 22 May 2001 11:10:48 -0400

You should get the OK from the hosting company - in writing - before you
begin. You might not be able to legally continue in the first place.
While the SERVICE is out-sourced, the non-resident company owns the
hardware, as well as the routers leading to it and you may NOT be
allowed to scan that (which actions may be deemed an intrusion by the
hosting company).

What is in the contract you have with them (the hosted company with the
hosting company) that may cover this contingency?

V/R

Jim

Franklin DeMatto wrote:
>
> Anyone know how to handle the legal/bueracratic aspects of pen-testing a web server which is not in-house, but property of a hosting company??
>
> The hosting company may not take lightly to suggestions that it may be vulnerable, and may be afraid of damage caused by a test. Worse, if the server is not dedicated, but rather uses virtual hosts, other clients could be affected by the testing.
>
> Any real-world advice, forms, paperwork, or legal info. would be appreciated.
>
> Franklin DeMatto
> franklin_at_qDefense.com
> qDefense - DEFENDING THE ELECTRONIC FRONTIER 

-- 
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566
Received on May 22 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos