AW: AW: JRun: The Easiness of Session Fixation

["Javor Evstatiev" <Javor.Evstatiev () d-con com>]

hej

agree on proxies. btw isnt it likely that they will send correct FORWARDED_FOR headers?

do not fully agree on nat. why whould someone change his src? even if someone uses several outgoing src addrs I doubt 
they will round robin them, imho this would break lots of other apps (telnet? ftp? udp based games?)

if you have a good solution for mitm attacks against plain http Id love to know about it.

cheers,
j. braindead

-----Ursprüngliche Nachricht-----
Von: Alex Russell [mailto:alex () netWindows org] 
Gesendet: Freitag, 28. Februar 2003 23:56
An: Javor Evstatiev; Christoph Schnidrig; webappsec () securityfocus com
Betreff: Re: AW: JRun: The Easiness of Session Fixation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 01 March 2003 02:13 pm, Javor Evstatiev wrote:
> Hej,
>
> I save the incoming ip address when the session is created. On each 
> request I compare the incoming ip address with the ip stored in the 
> session. If it does not match there is something foul.

What about MITM? NAT?

Most AOL traffic comes from something like 6 IPs. And you're going to rely 
on that to determine whether or not a session is valid? You'll do much 
better with a session mechanism that isn't simply brain-dead.

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+X+keoV0dQ6uSmkYRAglXAKCVhfzS2/hikb+V51M8QASef7U7YACg1uhi
UuPBKqaXVf0tFcpbhuXn7tU=
=IHFm
-----END PGP SIGNATURE-----