WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to create (hijacking) secure HTTP sessions?

From: stefano <stefano.dipaola () wisec it>
Date: Mon, 05 Jun 2006 12:12:06 +0200

I think remote address check is an additional check that can raise the
bar a little bit more.
But as Robin and Ivan said it has some usability drawbacks..

Moreover from a security point of view, I would just don't rely too much
on this, as there are many untrustable scenarios like having user's
public ip, shared with other non "trustable" people.. 
Think about WANs or (public) hot spots with wireless AP..

Regards, 
Stefano


On lun, 2006-06-05 at 02:13 +0200, ascii wrote:

Robin Wood wrote:

What happens if your users are using proxies which change over the
period of the session, such as AOL. This approach would stop them from
using your system.


i think the answer is in the message you replied : )


On 6/3/06, ascii <ascii_katamail.com> wrote:

this should play better on https then on http because commonly ssl
connections are direct (while some isp split the http traffic over
different proxy servers and several public ips)


does AOL proxy https traffic? normally your browser open an ssl
connection directly with the server

the other option is to use a proxy with the CONNECT request method
enabled to tunnel the ssl channel (but the proxy cannot cache the
traffic, so no cache acceleration)

if this happen and the proxy change then a solution is to exclude the
ip class from the ip check

naturally you have to see the context, if your webbapp doesn't apply for
a particular check don't do that particular check

Regards, Francesco 'ascii' Ongaro - http://www.ush.it/


....oOOo....oOOo....
Stefano Di Paola
Software Engineer
Mail: stefano.dipaola!wisec.it
Web: www.wisec.it
....................


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: