WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Tying a session to an IP address

From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Mon, 10 May 2004 10:34:51 -0400
..."I'd say it doesn't do diddly squat to add to security, since it's 
trivial to spoof ones address."

Is that really true? Is it trivial to spoof an arbitrary, specific
address? Can you make my traffic log think that you came from 
158.4.24.21? Or 127.0.0.1? I agree that within a subnet or behind
a hacked router, sure, but at some point a router in the downline is
going to say, "WTF! I don't know about the 158.4 subnet, screw that!"

Unless I totally misunderstand the issues at hand in spoofing IPs...

Mike

-----Original Message-----
From: exon [mailto:exon () home se]
Sent: Monday, May 10, 2004 10:01 AM
To: webappsec () securityfocus com
Subject: Re: Tying a session to an IP address


Paul Johnston wrote:

Hi,

I'm interested in the merits of restricting a session to an IP address. 
I realise this isn't great security as often many users will appear to 
come from the same IP address (NAT, proxies, etc.) However, if you 
consider the case where an attacker uses an XSS vulnerability to steal 
the session ID, then the IP address restriction raises the bar 
considerably for an arbitrary remote attacker to exploit this. I'm 
worried that the IP address restriction wouldn't work for all users - 
e.g. if their ISP uses load-balanced web caches. Does anyone know how 
common such arrangements are in practice? Perhaps something to be done 
then is just check the top 16 bits of the IP address. This is likely to 
work for all such network arrangements and still raises the bar a lot 
for remote attacks.


I'd say it doesn't do diddly squat to add to security, since it's 
trivial to spoof ones address.


Does anyone here already restrict sessions by IP address?

Regards,

Paul
Previous By Date Next
Previous By Thread Next

Current thread: