Security Basics mailing list archives
Re: IP Spoofing??
From: "Gavin Zuchlinski" <gzuchlinski () pgsit org>
Date: Tue, 2 Dec 2003 18:04:37 -0500
Hi, As a load of people from the list probably already told you, spoofing an IP in this case would be a lot of work and probably not work out too well. Another option though: is there something specific you want to exploit? If you can insert whatever HTML and scripting you want as the client (and therefore as their IP :-), it might be possible to submit a form changing the user's password or similar. I wrote a paper a while back which might help you a little in your research, http://libox.net/xss.php . -Gavin http://libox.net/ ----- Original Message ----- From: "pire pire" <pirepire69 () romandie com> To: <security-basics () securityfocus com> Sent: Tuesday, December 02, 2003 5:02 PM Subject: IP Spoofing??
Hi, I've found a vulnerability in a Web App which gave me via an XSS the sessionID token. I would like to replay this token. But the session ID manager (on the server) seems to look also to IP adresses. So my question is: Is there a way to spoof my ip address in order to replay the sessionID?? Like: http://www.tutu.com/toto.php?sessionid=32443243 and some how spoof of my IP?! If I replay the sessionid from my machine or an other machine behind my NAT (same outside IP) it works!! Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IP Spoofing?? pire pire (Dec 02)
- Re: IP Spoofing?? Gavin Zuchlinski (Dec 03)
- Re: IP Spoofing?? Adam Newhard (Dec 03)