Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IP Spoofing??

From: Adam Newhard <atnewhard () microstrain com>
Date: Wed, 03 Dec 2003 08:45:53 -0500
pire pire wrote:


Hi,
I've found a vulnerability in a Web App which gave me via an XSS the sessionID token.
I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID??
Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?!
If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!! 
<not-being-rude>
Well, yeah it's suppose to. After it hits your nat, no one knows which internal ip it's coming from except for the nat. 
</not-being-rude>




Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

.





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: