Penetration Testing mailing list archives
Re: Session & IP Spoofing
From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Fri, 5 Dec 2003 09:09:40 -0500 (EST)
I don't think you need to be able to spoof your IP to prove the security risk. As you've already proved the attack works if you're using the same source IP address (from the applications point of view) as the victim. There are quite a few ISPs and companies that use proxies or NAT that give many users the same IP address. Admittedly, the scope of the attack is narrow (e.g. work colleagues attacking each other) but it's still a valid attack. Stephen
Hi, I've found a vulnerability in a Web App which gave me via an XSS the sessionID token. I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID?? Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?! If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!! Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Session & IP Spoofing pire pire (Dec 03)
- Re: Session & IP Spoofing Stephen de Vries (Dec 03)
- <Possible follow-ups>
- RE: Session & IP Spoofing Micheal Thompson (Dec 03)
- RE: Session & IP Spoofing Scovetta, Michael V (Dec 03)
- RE: RE: Session & IP Spoofing pire pire (Dec 04)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- Re: RE: Session & IP Spoofing Frank Knobbe (Dec 06)
- RE: RE: Session & IP Spoofing Rob Shein (Dec 06)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- RE: RE: Session & IP Spoofing MARTIN M. Bénoni (Dec 04)
- RE: RE: Session & IP Spoofing Micheal Thompson (Dec 06)
- RE: RE: Session & IP Spoofing Scovetta, Michael V (Dec 06)