WebApp Sec mailing list archives
AW: AW: JRun: The Easiness of Session Fixation
From: "Javor Evstatiev" <Javor.Evstatiev () d-con com>
Date: Sun, 2 Mar 2003 02:00:15 +0100
hej agree on proxies. btw isnt it likely that they will send correct FORWARDED_FOR headers? do not fully agree on nat. why whould someone change his src? even if someone uses several outgoing src addrs I doubt they will round robin them, imho this would break lots of other apps (telnet? ftp? udp based games?) if you have a good solution for mitm attacks against plain http Id love to know about it. cheers, j. braindead -----Ursprüngliche Nachricht----- Von: Alex Russell [mailto:alex () netWindows org] Gesendet: Freitag, 28. Februar 2003 23:56 An: Javor Evstatiev; Christoph Schnidrig; webappsec () securityfocus com Betreff: Re: AW: JRun: The Easiness of Session Fixation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 01 March 2003 02:13 pm, Javor Evstatiev wrote:
Hej, I save the incoming ip address when the session is created. On each request I compare the incoming ip address with the ip stored in the session. If it does not match there is something foul.
What about MITM? NAT? Most AOL traffic comes from something like 6 IPs. And you're going to rely on that to determine whether or not a session is valid? You'll do much better with a session mechanism that isn't simply brain-dead. - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+X+keoV0dQ6uSmkYRAglXAKCVhfzS2/hikb+V51M8QASef7U7YACg1uhi UuPBKqaXVf0tFcpbhuXn7tU= =IHFm -----END PGP SIGNATURE-----
Current thread:
- AW: AW: JRun: The Easiness of Session Fixation Javor Evstatiev (Mar 01)