RE: IP Address Question

["Perry, Blane" <PerryBL () michigan gov>]

or:
C> Session Fixation.  Although the attacker must jump through a few more hoops.  A good article - Session Fixation 
Vulnerability in Web-based Applications by Mitja Kolsek:

  http://www.acros.si/papers/session_fixation.pdf

-BP


-----Original Message-----
From: lj-news [mailto:lj-news () umsys com]
Sent: Thursday, September 25, 2003 2:11 PM
To: Robin Fordham; webappsec () securityfocus com
Subject: RE: IP Address Question


To effectively impersonate a remote IP and carry on TCP session I'm pretty sure either:
A> you have to be able to guess the sequence numbers and interact with the server completely blind (since you'll never 
get return traffic)
B> you have to be using a man-in-the-middle attack to intercept the return traffic or manipulate the return path

If that doesn't seem correct then someone please comment.

-LJ

-----Original Message-----
From: Robin Fordham [mailto:robin_fordham () yahoo com]
Sent: Thursday, September 25, 2003 12:11 PM
To: webappsec () securityfocus com
Subject: IP Address Question


OK, here's a question. Is it possible for a hacker to
impersonate an IP Address with regard to logging into
web applications. The Paros3.0 tool that I'm using to
test Session Hijacking does not let you change your IP
Address, but I wanted to know if it was actually
possible to do? It would help so that I can assess the
probability of a particular attack from occurring.

Cheers

Robin


=====
---------------------------------------
Web Site: http://electricpiggy.com
E-mail: robin_fordham () yahoo com
ICQ: 15208257
---------------------------------------

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com