Full Disclosure mailing list archives
Re: defense against session hijacking
From: Damian Gerow <damian () sentex net>
Date: Mon, 17 Nov 2003 17:44:24 -0500
Thus spake David Maynor (dave () 0dayspray com) [17/11/03 17:30]:
This would break things like NATed machines and such.
Could you explain how, please? If machine A gets NATed to firewall B, and webserver C gets the session... It's going to record the address of firewall B, not machine A. I fail to see how using the connection source's IP address would break NAT.* And I don't know what you mean by 'and such'. Not that I think basing your entire session security on the IP address is a good idea -- proxies and such. Using it as *part* of your session security (onions, people, onions) might work, depending on how a networks round-robin'ed proxies are set up, if the session really *is* needed to be carried cross-machine (I've done it before), or any other reason I haven't thought of yet. FWIW, (and I know how hated they are), SecurityFocus has a mailing list specifically for web application security -- webappsec () securityfocus com, I believe. - Damian * = The only thing I could think of is session hijacking, if the source IP is your only method of session security, by other machines behind the same NATing gateway. This is possible. Again, onions. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- defense against session hijacking Thomas M. Duffey (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Ron DuFresne (Nov 19)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking Frank Knobbe (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- window hiding sir kaber (Nov 17)
- Re: defense against session hijacking |reduced|minus|none| (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Scott Taylor (Nov 17)
- Re: defense against session hijacking Bill Pennington (Nov 17)
- Re: defense against session hijacking Jason Ziemba (Nov 18)
- Re: defense against session hijacking Tim (Nov 18)
- Re: defense against session hijacking Jakob Lell (Nov 19)