Re: How to create (hijacking) secure HTTP sessions?

[ascii <ascii () katamail com>]

Rogan Dawes wrote:
> Here's a slightly different question, but along the same lines.
> What happens if your users are all behind a particular proxy/firewall?
> e.g. a hosted application provider servicing a large corporate?

naturally you are in right but in this case you have only less security
(the standard security) but the webapp will continue to work (eg: you
don't have to white list people from the check as for AOL user on http)

> Recording the IP would add no value, since they might all be coming from
> the same external address. One might wish to consider the
> "X-Forwarded-For" (or whatever) header in that case, to get the actual
> internal IP address, but of course, it cannot be trusted, since it is a
> header and can be forged like any other.

also consider that on the majority of ethernet networks the ip address
is less trustworthy (spoofing using arp etc) than on internet

x-forwarded-for could be a low-cost solution as like as using java or
javascript to get some var directly from the client, but they are as
tamperable as headers (think about anti click fraud checks, many of them
make a large use of javascript)

if people is behind NAT/masquerading you have no additional headers
and you have to "relay" on java to get an equivalent of x-forwarded-for

http://stud1.tuwien.ac.at/~e9125168/javas/jhostip.html
(i can't verify because i have no java vm installed :>)

<script language="javascript">
yourAddress=java.net.InetAddress.getLocalHost();
yourAddress2=java.net.InetAddress.getLocalHost();
yhost=yourAddress.getHostName();
yip=yourAddress2.getHostAddress();
alert("Your host name is "+yhost);
alert("Your IP address is "+yip);
</script>

this should work perfectly in some cases (adsl modem + CONNECT proxy)
and fail on others (user is in a lan, most are 192.168.0.X, you have
few ips to try)

to almost completly solve this (but applicable only in few cases) you
could force users to install the openvpn client and make them connect to
a private web server, then you have a perfect correlation between user
and ip address

anyway as stefano said ip checks are not the crucial point, i think that
strict mode sessions and ssl are the two must-have

Regards, Francesco 'ascii' Ongaro - http://www.ush.it/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------