Penetration Testing mailing list archives
RE: Session & IP Spoofing
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Wed, 3 Dec 2003 11:43:02 -0500
You can use traditional IP-spoofing techniques to spoof the IP. If the server is on a local subnet/intranet, it becomes easier. The problem with spoofing the IP is that the server tries sending replies back to that address, so it's tough to get an interactive session going on through a spoofed IP. I also don't think this is a good practice for the site, since some ISPs (cough cough AOL cough cough) will sometimes give you multiple IPs on their end, so if you load up a page with 10 images, the page might see you come from 10 different IPs. Screwy, but it's out there. You also hit upon a good point, tying the session ID to IP is useless in a NAT-situation. Since you'll know the session id and the IP address of the "true" user, you can probably just craft a packet from their IP containing the payload and deliver it. You might have to rely on XSS to get the information back to you. It may be possible to do whatever you need within the XSS, and not even care about the session id. For instance, if, within the XSS, you open up a new window (same session id, same IP) on the client's side, to the same site, javascript-it-up to do whatever you want to do, and then transmit that data back to you, you should be able to accomplish almost anything. I believe IE lets you open up a hidden IFRAME (0 by 0 size) and do whatever you want with that. I use this technique for a "poor-man's RPC call" to a web server, so I assume it'll work in this case. Hope that helps-- Michael Scovetta -----Original Message----- From: pire pire [mailto:pirepire69 () romandie com] Sent: Tuesday, December 02, 2003 5:02 PM To: pen-test () securityfocus com Subject: Session & IP Spoofing Hi, I've found a vulnerability in a Web App which gave me via an XSS the sessionID token. I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID?? Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?! If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!! Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Session & IP Spoofing pire pire (Dec 03)
- Re: Session & IP Spoofing Stephen de Vries (Dec 03)
- <Possible follow-ups>
- RE: Session & IP Spoofing Micheal Thompson (Dec 03)
- RE: Session & IP Spoofing Scovetta, Michael V (Dec 03)
- RE: RE: Session & IP Spoofing pire pire (Dec 04)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- Re: RE: Session & IP Spoofing Frank Knobbe (Dec 06)
- RE: RE: Session & IP Spoofing Rob Shein (Dec 06)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- RE: RE: Session & IP Spoofing MARTIN M. Bénoni (Dec 04)
- RE: RE: Session & IP Spoofing Micheal Thompson (Dec 06)
- RE: RE: Session & IP Spoofing Scovetta, Michael V (Dec 06)