WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Sat, 28 Mar 2009 20:00:16 -0400
If the IP address is stored in the cookie and used for authentication it is as easy as getting it from the cookie with XSS.
From the attacker perspective it can be good target since for example someweb applications give the users authorization privileges to web server based upon the fact that the connection comes from certain IP addresses.
Remote IP spoofing at the network layer is more difficult but not impossible. It assumes an "internal" attacker can compromise a server remotely and install a TCP relay to intercept and monitor the traffic with tools like Jiri Rickter's MiTM etc
Marco----- Original Message ----- From: "Robin Wood" <dninja () gmail com>
To: "Marco M. Morana" <marco.m.morana () gmail com> Cc: "Tommy" <tommyrolworslin () fastmail fm>; <webappsec () securityfocus com> Sent: Saturday, March 28, 2009 6:43 PM Subject: Re: How can i protect against session hijacking?
2009/3/28 Marco M. Morana <marco.m.morana () gmail com>:2) Using remote IP for validation. This is all cons. IP address can bespoofed easily. Also if you use this as a form of authentication as machinetagging you will be defeated by an attackerusing a proxy in the middle to hide the source IP address. You should neverrely on this form of authentication, except maybe for internal low risk applicationsI can understand how with a mitm attack you can spoof your IP but remotely I wouldn't say that it was easy. Having said this, I agree that relying on IP is a bad idea.Robin
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)