Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Session & IP Spoofing

From: "Micheal Thompson" <MThompson () brinkster com>
Date: Wed, 3 Dec 2003 11:19:26 -0500
You can spoof any IP. The question is do you want the return traffic. 

-----Original Message-----
From: pire pire [mailto:pirepire69 () romandie com] 
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test () securityfocus com
Subject: Session & IP Spoofing

Hi,

I've found a vulnerability in a Web App which 
gave me via an XSS the sessionID token.

I would like to replay this token. But the 
session ID manager (on the server) seems to look 
also to IP adresses. 

So my question is: Is there a way to spoof my ip 
address in order to replay the sessionID??

Like: 
http://www.tutu.com/toto.php?sessionid=32443243  
and some how spoof of my IP?!

If I replay the sessionid from my machine or an 
other machine behind my NAT (same outside IP) it 
works!! 

Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: