Full Disclosure mailing list archives
Re: defense against session hijacking
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 17 Nov 2003 17:01:26 -0600
On Mon, 2003-11-17 at 16:44, Damian Gerow wrote:
Thus spake David Maynor (dave () 0dayspray com) [17/11/03 17:30]:This would break things like NATed machines and such.Could you explain how, please?
I think David was hinting at pooled NAT address. Image an internal network that gets NATed to addresses a.b.c.d.5 until a.b.c.d.12. Kinda like Gary's "ganged" proxies. The debates over using IP addresses, ports, TTLs and other connection based elements do come up from time to time. However, you are trying to authenticate/verify the user on the other end, not networking equipment in between. Logically you should check user elements (such as browser ID perhaps). Or wrap it in SSL, use hard to guess/brute session ID's and hope for the best.... like the rest if us :) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- defense against session hijacking Thomas M. Duffey (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Ron DuFresne (Nov 19)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking Frank Knobbe (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- window hiding sir kaber (Nov 17)
- Re: defense against session hijacking |reduced|minus|none| (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Scott Taylor (Nov 17)
- Re: defense against session hijacking Bill Pennington (Nov 17)
- Re: defense against session hijacking Jason Ziemba (Nov 18)
- Re: defense against session hijacking Tim (Nov 18)
- Re: defense against session hijacking Jakob Lell (Nov 19)
- Message not available
- Re: defense against session hijacking flatline (Nov 19)