WebApp Sec mailing list archives
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Wed, 22 Dec 2004 12:09:50 -0500
Sverre, Also, in general, many clients are either behind proxies or have IP addresses that change very frequently (AOL comes to mind, but I'm sure there are others)-- I'm not sure if this is simply AOL masking the source IP or whether the DHCP lease is just very short, but the rule is: "In general, you should assume that the source IP of a client will not remain constant during any meaningful length of time." At least, that's my take on it. Regards, Michael Scovetta Computer Associates Senior Application Developer -----Original Message----- From: Sverre H. Huseby [mailto:shh () thathost com] Sent: Tuesday, December 21, 2004 2:21 AM To: Elihu Smails Cc: webappsec () securityfocus com Subject: Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" [Elihu Smails] | Sessions should track the remote IP address of the client at a | minimum, so that this problem could go away. Unfortunately, checking IP addresses won't solve the Session Riding / Web Trojan problem, as the request is coming from the victim's computer. Sverre.
Current thread:
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 22)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)