netVigilance Logo left1 netVigilance Logo left2 netVigilance Logo text1 netVigilance Logo text2 netVigilance Logo Right

Domain-based virtual hosting a.k.a. Virtual Web-hosting a.k.a Shared web hosting a.k.a Virtual hosting a.k.a. Virtual IP

In name-based virtual web hosting, the virtual hosts serve multiple hostnames on a single machine with a single IP address. When a web browser requests a resource from a web server using HTTP it includes the requested hostname as part of the request. The server uses this information to determine which web site to show the user.

Two web-sites sharing the same IP address can have completely different contents and different vulnerabilities. netVigilance will be unable to web-scan a particular name-based virtual host without the correct virtual hostname.

Virtual Hostnames for web-server sharing the same IP CANNOT be accurately remotely determined, it is the customers responsibility to submit ALL virtual hostnames.

From PCI Standard Requirement PCI Scanning Procedures v1_1 page 4 section 3 (under heading "Scanning Procedures") (and also Technical and Operational Requirements for Approved Scanning Vendors Section 2 Page 5):

Prior to scanning the web site and IT infrastructure, merchants and service providers must:

• Provide the ASV with a list of all domains that should be scanned if domain-based virtual hosting is used

Not supplying correct Virtual Host names will cause the Merchant to be "NON-COMPLIANT", requiring a rescan at owners Cost and Risk


   Copyright©2004-2009,  netVigilance, Inc.   All rights reserved  •  Privacy Policy