WebApp Sec mailing list archives
Re: How to create (hijacking) secure HTTP sessions?
From: ascii <ascii () katamail com>
Date: Tue, 06 Jun 2006 01:12:14 +0200
Rogan Dawes wrote:
Here's a slightly different question, but along the same lines. What happens if your users are all behind a particular proxy/firewall? e.g. a hosted application provider servicing a large corporate?
naturally you are in right but in this case you have only less security (the standard security) but the webapp will continue to work (eg: you don't have to white list people from the check as for AOL user on http)
Recording the IP would add no value, since they might all be coming from the same external address. One might wish to consider the "X-Forwarded-For" (or whatever) header in that case, to get the actual internal IP address, but of course, it cannot be trusted, since it is a header and can be forged like any other.
also consider that on the majority of ethernet networks the ip address is less trustworthy (spoofing using arp etc) than on internet x-forwarded-for could be a low-cost solution as like as using java or javascript to get some var directly from the client, but they are as tamperable as headers (think about anti click fraud checks, many of them make a large use of javascript) if people is behind NAT/masquerading you have no additional headers and you have to "relay" on java to get an equivalent of x-forwarded-for http://stud1.tuwien.ac.at/~e9125168/javas/jhostip.html (i can't verify because i have no java vm installed :>) <script language="javascript"> yourAddress=java.net.InetAddress.getLocalHost(); yourAddress2=java.net.InetAddress.getLocalHost(); yhost=yourAddress.getHostName(); yip=yourAddress2.getHostAddress(); alert("Your host name is "+yhost); alert("Your IP address is "+yip); </script> this should work perfectly in some cases (adsl modem + CONNECT proxy) and fail on others (user is in a lan, most are 192.168.0.X, you have few ips to try) to almost completly solve this (but applicable only in few cases) you could force users to install the openvpn client and make them connect to a private web server, then you have a perfect correlation between user and ip address anyway as stefano said ip checks are not the crucial point, i think that strict mode sessions and ssl are the two must-have Regards, Francesco 'ascii' Ongaro - http://www.ush.it/ ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Re: How to create (hijacking) secure HTTP sessions?, (continued)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Adam Tuliper (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Ivan Ristic (Jun 03)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? Nathan Keltner (Jun 08)
- Re: How to create (hijacking) secure HTTP sessions? Michael Decker (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Rogan Dawes (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? ascii (Jun 07)
- Re: How to create (hijacking) secure HTTP sessions? stefano (Jun 05)
- Re: How to create (hijacking) secure HTTP sessions? Robin Wood (Jun 04)
- Re: How to create (hijacking) secure HTTP sessions? Jason Muskat (Jun 02)