Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

IP Spoofing??

From: "pire pire" <pirepire69 () romandie com>
Date: Tue, 2 Dec 2003 23:02:07 +0100
Hi,

I've found a vulnerability in a Web App which 
gave me via an XSS the sessionID token.

I would like to replay this token. But the 
session ID manager (on the server) seems to look 
also to IP adresses. 

So my question is: Is there a way to spoof my ip 
address in order to replay the sessionID??

Like: 
http://www.tutu.com/toto.php?sessionid=32443243  
and some how spoof of my IP?!

If I replay the sessionid from my machine or an 
other machine behind my NAT (same outside IP) it 
works!! 

Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: