Re: How can i protect against session hijacking?

["Marco M. Morana" <marco.m.morana () gmail com>]

If the IP address is stored in the cookie and used for authentication it is 
as easy as getting it from the cookie with XSS.
> From the attacker perspective it can be good target since for example some 
web applications give the users authorization privileges to web server based 
upon the fact that the connection comes from certain IP addresses.

Remote IP spoofing at the network layer is more difficult but not 
impossible. It assumes an "internal" attacker can compromise a server 
remotely and install a TCP relay to intercept and monitor the traffic with 
tools like Jiri Rickter's MiTM etc

Marco
----- Original Message ----- 
From: "Robin Wood" <dninja () gmail com>
To: "Marco M. Morana" <marco.m.morana () gmail com>
Cc: "Tommy" <tommyrolworslin () fastmail fm>; <webappsec () securityfocus com>
Sent: Saturday, March 28, 2009 6:43 PM
Subject: Re: How can i protect against session hijacking?


> 2009/3/28 Marco M. Morana <marco.m.morana () gmail com>:
> > 2) Using remote IP for validation. This is all cons. IP address can be
> > spoofed easily. Also if you use this as a form of authentication as 
> > machine
> > tagging you will be defeated by an attacker
> > using a proxy in the middle to hide the source IP address. You should 
> > never
> > rely on this form of authentication, except maybe for internal low risk
> > applications
>
> I can understand how with a mitm attack you can spoof your IP but
> remotely I wouldn't say that it was easy.
>
> Having said this, I agree that relying on IP is a bad idea.
>
> Robin