RE: state management by client IP address for Web App Sessions

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Hey, thanks all for feedback. I clearly worded this wrong
in haste.

My concern is state management. I finishing a whitepaper
on state and session management and it just hit me that
the metrics I'm going on are a biased sample (US, Canadian,
and small European sample from specific Western countries).

I'm not concerned with percentage of same-source. Obviously
that's what rfc-reserved space + NAT results in.

I was curious how common user Abba from src 127.0.0.1 all of
a sudden switches to src 127.0.0.1, or even 128.0.0.1. There
are certain ISPs (AOL being the most guilty) that do this.

In the US, if you build a webapp that services a client population
coming from ISPs that do this, you absolutely cannot track/
validate/session handle based upon src IP.

I am presenting some of the results of this at Black Hat Europe
and some at OWASP 2005 in London, and thought that before I
speak like a provincial fool I should see if this phenomena
holds true in other countries, particularly Asia, Eastern
Europe, and other emerging markets like South America.

Thanks for the feedback, any more related to IP src changes
(not many-to-one NAT) mid-session from different parts of the
world is appreciated.

Arian Evans
Sr. Security Engineer
FishNet Security

KC Office:  816.421.6611
Direct: 816.701.2045
Toll Free:  888.732.9406
Fax:  816.474.0394

http://www.fishnetsecurity.com