Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentesting a Web Applicaton behind Akamai Technology
From: "Lee Lawson" <leejlawson () gmail com>
Date: Thu, 17 May 2007 08:33:11 +0100

yes, you will have to explain to the client that the systems they have
pointed you at are not within their responsibility.  This means that
the agreement (which I assume you have) with the client is useless,
and therefore the penetration testing of those systems is illegal
punishable by a minimum of 10 years in jail (depending on which part
of the legislation you get caught on!).

When I arrange pen testing, I have a form that the client fills in and
signs, this includes all the relevant information (points of contact,
target systems etc).  If they have any hosted systems, such as your
scenario, I instruct the client to inform the hosting party and get
their authorisation.  The hosting party sign the agreement too.




On 5/16/07, peter.schaub () thomson com <peter.schaub () thomson com> wrote:
Hi Greg,
You should ask the clients for the 'origin' Ips (or DNS names) that
correlate to the app you are testing.
Or....
Try looking up 'origin-sitename.com' or 'origin.sitename.com' somehting
along those lines if the client will not provide you the direct Ips or
DNS names of the app.

The origin IP address that the Akamai 'edge' servers (which you are
currently seeing) connect back to get updated content from the client.
Akamai is used as a content caching system (among many many other
things), so their servers will take a bulk of the incoming requests,
hold the data on their edge servers, serve the content when requested,
and then will go back and hit the clients origin server, once the time
to live on a specific object expires, to get new data.

Hope this helps a bit.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of grd () netexpert ch
Sent: Wednesday, May 16, 2007 9:42 AM
To: pen-test () securityfocus com
Subject: Pentesting a Web Applicaton behind Akamai Technology

Hi everybody,



I'm doing a Pentest on a Web Application for a client. The only
information I have is the DNS name of the website. After doing the basic
steps of footprint and enumeration, I found out that the IP adress of
the website is not in the IP range of the client and is owned by Akamai
Technology. It means that if I'm going on with the furter steps of
pentesting, I'll pentest Akamai and not the "real" website of the
client.



Is there a way to find the "real" IP address of the website ?



Has everyone faced this kind of configuration ?



For information, this is the header of the website when attempting a
page that doesn't exist :



HTTP/1.0 400 Bad Request

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 186

Expires: Wed, 16 May 2007 13:39:42 GMT

Date: Wed, 16 May 2007 13:39:42 GMT

Connection: close



Thanks,



Greg

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with our 20/20
program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




--
Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]