WebApp Sec mailing list archives

Re: Tying a session to an IP address

From: exon <exon () home se>
Date: Mon, 10 May 2004 20:53:40 +0200

Rogan Dawes wrote:

Actually, it is not so trivial to spoof a TCP connection long enough toget something useful from it. Especially an HTTP connection.

True, but sending to (with an unlawfully gained login) can do as much ormore damage as receiving from.

The original fear with spoofed connections was rlogin/rsh, which used IPaddresses as authentication. The mechanism for exploitation was usuallysomething like:
Send SYN packet from "authenticated/permitted" IP address.
Do not receive the SYN/ACK.
Send ACK packet, with a payload of something like

"echo '+ +' >> .rhosts"

Even if you do not receive a response, you have cracked the box.

Correct. This would work equally nice in abusing whatever you might beable to shoot blindly at. RSH was a bit scary in that it permittedshell-accounts immediately with no greater effort, but the ability toadd certain pieces of information into a database or some file on theserver can prove equally damaging.

This is still possible from some web apps, particularly those that allowyou to execute admin functions if you come from a specific IP address,and don't use session cookies, etc.
BUT, the majority of apps on the Internet now require you to go throughmultiple levels in order to actually achieve something.
e.g. submit a GET to get a form to fill in, submit a POST with thevalues, submit a POST as a confirmation, etc.
It is not a simple as the rsh attack described above.

Not far from it, so long as you know what you're "shooting" at, andmapping the steps is trivial with either a little social engineering orsimply browsing the webpage text.

Personally, I think that tracking the IP address CAN add some value. Itis not foolproof, and can cause problems in certain circumstances, butit helps to raise the bar where those circumstances do not apply to you.

Anything that helps is good, I suppose, but one must also consider thefact that a false sense of any security can be worse than a true senseof no security.

Rogan


/exon

Current thread:

Tying a session to an IP address Paul Johnston (May 10)
- Re: Tying a session to an IP address exon (May 10)
  - Re: Tying a session to an IP address Rogan Dawes (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- <Possible follow-ups>
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
  - Re: Tying a session to an IP address T.J. (May 10)
  - Re: Tying a session to an IP address Adam Tuliper (May 10)
    - RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)

(Thread continues...)