nanog mailing list archives
Re: Question re session hijacking in dual stack environments w/MacOS
From: Laszlo Hanyecz <laszlo () heliacal net>
Date: Tue, 29 Sep 2015 00:41:23 +0000
On 2015-09-27 12:24, John Schimmel wrote:
Most Web application firewalls have cross-site request forgery protection. When a form is downloaded, the firewall inserts a hidden field or cookie that contains the IP address of the request. When the form is submitted, the firewall then verifies that the post is sent from the same address.
This reminds me of ICMP blocking which breaks path MTU discovery and thus blocks all users with < 1500 MTU.
The technique described here doesn't sound like it would protect from XSS or CSRF; it would just introduce seemingly random failures like the OP described. The idea with trying to tie the apparent network address to a session is to make session hijacking harder, not local scripting attacks (which could come from the same address anyway), but it's a bad idea regardless because there is not normally a reason for a session to be 'sticky' in this way and so there's no effort made to keep the same address, it just happens by accident sometimes. Making this work so the WAF can be happy is in conflict with actually useful things like load balancing, cache proxies, privacy addresses, etc. It probably works some percentage of the time for some users, and those who it doesn't work for just get blamed for having a bad browser/computer/ISP/whatever. I hope that as the failure rate increases, people using these solutions eventually realize that they're blocking themselves off from the net.
-Laszlo
Current thread:
- Re: Question re session hijacking in dual stack environments w/MacOS, (continued)
- Re: Question re session hijacking in dual stack environments w/MacOS Ca By (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Mark Tinka (Sep 29)
- Re: Question re session hijacking in dual stack environments w/MacOS Brandon Butterworth (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Michael Brown (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Dovid Bender (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Valdis . Kletnieks (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS Connor Wilkins (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS Christopher Morrow (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS John Schimmel (Sep 28)
- Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 28)