Penetration Testing mailing list archives
Session & IP Spoofing
From: "pire pire" <pirepire69 () romandie com>
Date: Tue, 2 Dec 2003 23:01:33 +0100
Hi, I've found a vulnerability in a Web App which gave me via an XSS the sessionID token. I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID?? Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?! If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!! Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Session & IP Spoofing pire pire (Dec 03)
- Re: Session & IP Spoofing Stephen de Vries (Dec 03)
- <Possible follow-ups>
- RE: Session & IP Spoofing Micheal Thompson (Dec 03)
- RE: Session & IP Spoofing Scovetta, Michael V (Dec 03)
- RE: RE: Session & IP Spoofing pire pire (Dec 04)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- Re: RE: Session & IP Spoofing Frank Knobbe (Dec 06)
- RE: RE: Session & IP Spoofing Rob Shein (Dec 06)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- RE: RE: Session & IP Spoofing MARTIN M. Bénoni (Dec 04)
- RE: RE: Session & IP Spoofing Micheal Thompson (Dec 06)
- RE: RE: Session & IP Spoofing Scovetta, Michael V (Dec 06)