Re: defense against session hijacking

[Damian Gerow <damian () sentex net>]

Thus spake David Maynor (dave () 0dayspray com) [17/11/03 17:30]:
> This would break things like NATed machines and such.

Could you explain how, please?

If machine A gets NATed to firewall B, and webserver C gets the session...
It's going to record the address of firewall B, not machine A.  I fail to
see how using the connection source's IP address would break NAT.*  And I
don't know what you mean by 'and such'.

Not that I think basing your entire session security on the IP address is a
good idea -- proxies and such.  Using it as *part* of your session security
(onions, people, onions) might work, depending on how a networks
round-robin'ed proxies are set up, if the session really *is* needed to be
carried cross-machine (I've done it before), or any other reason I haven't
thought of yet.

FWIW, (and I know how hated they are), SecurityFocus has a mailing list
specifically for web application security -- webappsec () securityfocus com, I
believe.

  - Damian

* = The only thing I could think of is session hijacking, if the source IP
is your only method of session security, by other machines behind the same
NATing gateway.  This is possible.  Again, onions.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html