Security Basics mailing list archives
Re: IP Spoofing??
From: Adam Newhard <atnewhard () microstrain com>
Date: Wed, 03 Dec 2003 08:45:53 -0500
pire pire wrote:
Hi,I've found a vulnerability in a Web App which gave me via an XSS the sessionID token.I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID??Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?!If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!!
<not-being-rude>Well, yeah it's suppose to. After it hits your nat, no one knows which internal ip it's coming from except for the nat.
</not-being-rude>
Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- .
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IP Spoofing?? pire pire (Dec 02)
- Re: IP Spoofing?? Gavin Zuchlinski (Dec 03)
- Re: IP Spoofing?? Adam Newhard (Dec 03)