Identifying Load Balancers in Penetration Testing

A problematic situation exists when embarking on a penetration test where load balancers are present. The general goal of all penetration tests is to provide accurate information to the company requesting the test. This means that the person performing the test needs to be sure they are as thorough as possible. This will help provide the company with the most realistic insight into how their existing vulnerabilities increase the risk of their most valuable assets. The increasing use of load balancers for web applications and the web servers being used to serve the applications require the increase of high availability. This can cause an issue for penetration testers. When there is a load balancer in place of an asset a penetration tester will be analyzing in their scope, there is the issue that possibly only one of the systems may respond to the test queries. This would give misleading results because only one system would have actually been tested. Another possible issue is that different servers may respond for each run of a different tool. Such a result could in fact cause inconsistency in the testing if the patch levels or configurations are different for each system. This paper addresses four questions: 1) Why is this an issue for the penetration tester? 2) How can you tell if you may be hitting a load balancer in your penetration tests? 3) Is there anything that can do about it and, what tools can be used to assist in this search?