RE: Filtering by client IP address for Web App Sessions

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Arian,
  You've got two problems when you rely on source IP:
#1- Even if 90% (or even 99%) of your user population isn't going
through these megaproxies, you're going to have users calling you up
saying they keep getting disconnected (and the ones you get on the phone
won't have a clue what a proxy server is.
#2- If you 'trust' the source IP, then you're leaving a layer of
security vulnerable to spoofing.

So in general, I wouldn't suggest validating based on source IP during
each request. If you're just allowing people from a particular set of
Ips to access a site, that's different--that should be fine. Just don't
rely on the client's IP to stay static. You're better off finding
another way to mitigate XSS attacks (if that's what you're after)

I don't know of any companies other than AOL that do that, but I would
image some anonymous-browsing proxies might set up something like that. 

 
Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] 
Sent: Wednesday, February 23, 2005 10:13 AM
To: webappsec () securityfocus com
Subject: Filtering by client IP address for Web App Sessions

Question for those outside of the US of A:

In Europe, Asia, etc. do you have:

1. Any significant user population of your web applications
comprised of AOL (America online) users?

2. Are there many ISPs or large organizations using megaproxies
that swap client source IPs across entire classes of netblock (e.g.
-like AOL does)?

I've been telling people for years that you can't filter by source or
even last octet netblocks and lately have been wondering if I'm dense
and this is a US-centric bias of mine thanks to the ISP behaviors
I've had to deal with over the years.

Feedback appreciated,

Arian