WebApp Sec mailing list archives

Re: Tying a session to an IP address

From: Rogan Dawes <discard () dawes za net>
Date: Mon, 10 May 2004 17:14:29 +0200

Actually, it is not so trivial to spoof a TCP connection long enough toget something useful from it. Especially an HTTP connection.

The original fear with spoofed connections was rlogin/rsh, which used IPaddresses as authentication. The mechanism for exploitation was usuallysomething like:


Send SYN packet from "authenticated/permitted" IP address.
Do not receive the SYN/ACK.
Send ACK packet, with a payload of something like

"echo '+ +' >> .rhosts"

Even if you do not receive a response, you have cracked the box.

This is still possible from some web apps, particularly those that allowyou to execute admin functions if you come from a specific IP address,and don't use session cookies, etc.

BUT, the majority of apps on the Internet now require you to go throughmultiple levels in order to actually achieve something.

e.g. submit a GET to get a form to fill in, submit a POST with thevalues, submit a POST as a confirmation, etc.


It is not a simple as the rsh attack described above.

Personally, I think that tracking the IP address CAN add some value. Itis not foolproof, and can cause problems in certain circumstances, butit helps to raise the bar where those circumstances do not apply to you.


Rogan

exon wrote:

Paul Johnston wrote:
Hi,
I'm interested in the merits of restricting a session to an IPaddress. I realise this isn't great security as often many users willappear to come from the same IP address (NAT, proxies, etc.) However,if you consider the case where an attacker uses an XSS vulnerabilityto steal the session ID, then the IP address restriction raises thebar considerably for an arbitrary remote attacker to exploit this. I'mworried that the IP address restriction wouldn't work for all users -e.g. if their ISP uses load-balanced web caches. Does anyone know howcommon such arrangements are in practice? Perhaps something to be donethen is just check the top 16 bits of the IP address. This is likelyto work for all such network arrangements and still raises the bar alot for remote attacks.
I'd say it doesn't do diddly squat to add to security, since it'strivial to spoof ones address.
Does anyone here already restrict sessions by IP address?

Regards,

Paul


--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

Tying a session to an IP address Paul Johnston (May 10)
- Re: Tying a session to an IP address exon (May 10)
  - Re: Tying a session to an IP address Rogan Dawes (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- <Possible follow-ups>
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
  - Re: Tying a session to an IP address T.J. (May 10)
  - Re: Tying a session to an IP address Adam Tuliper (May 10)
    - RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)

(Thread continues...)