Penetration Testing mailing list archives

Re: [PEN-TEST] HTTP Secure Session State Management

From: Yonatan Bokovza <Yonatan () XPERT COM>
Date: Wed, 27 Dec 2000 20:58:44 +0200

-----Original Message-----
From: van der Kooij, Hugo [mailto:Hugo.van.der.Kooij () CAIW NL]
Sent: Wednesday, December 27, 2000 3:12 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] HTTP Secure Session State Management


On Tue, 26 Dec 2000, Thomas Reinke wrote:

Philip Stoev wrote:


Something like an MD5 hash is pretty good for this.  Perhaps
a hash of the user's first and last name, address and

the record ID.


The IP address must always be a part of the session ID,

and must be checked


No...that won't work. There are numerous users (few compared to the
whole,
but enough that it needs to be covered) that sit behind

round robining

proxy/NAT devices. This means the same user that in one

second comes in

as one IP address will come on the request as a second IP address.
You could of course restrict the IP check to the same class C (until
you find someone that has the proxy across multiple class C's...)


If this would happen I would considere that proxy to be
broken. The client
IP address is a definite requirement to verify.

I beg to differ. quoting from http://www.ietf.org/rfc/rfc2663.txt
NAT terminology RFC1631:
"Not all applications lend themselves easily to translation by NAT
devices; especially those that include IP addresses and TCP/UDP ports
in the payload."

Make that: "IP Address isn't a definite requirement to verify."
Maybe you should learn more about Dynamic NAT.

Best Regards,

Yonatan Bokovza
IT Security Consultant
yonatan () xpert com
Xpert Trusted Systems
PGP Fingerprint:
1A96 EE70 11BB 5241 BE42  0831 6819 BAAF B9AD EDDF

Current thread:

Re: [PEN-TEST] HTTP Secure Session State Management, (continued)
- Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 23)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 23)
    - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management George Capehart (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 26)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Bill Reamy (Dec 26)
  - Re: [PEN-TEST] HTTP Secure Session State Management Mark Curphey (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Robert van der Meulen (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Yonatan Bokovza (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Dom De Vitto (Dec 27)
    - Re: [PEN-TEST] HTTP Secure Session State Management Ian Charnas (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management St. Clair, James (Dec 27)
- Re: [PEN-TEST] HTTP Secure Session State Management Edwards, David (JTD) (Dec 27)
  - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management van der Kooij, Hugo (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Thomas Reinke (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Matt W. (Dec 28)
    - Re: [PEN-TEST] HTTP Secure Session State Management Drew Simonis (Dec 28)