WebApp Sec mailing list archives
RE: Tying a session to an IP address
From: "Tom Martin" <tom () permanentseptember co uk>
Date: Mon, 10 May 2004 20:11:57 +0100
Its fairly trivial to spoof ones IP address and I would say MOST ISPs routers won't particularly care what IP address you are pretending to use. The reason I would say IP address spoofing doesn't totally invalidate this idea is that IP address spoofing is fine as long as you don't need to see the replies to your packets - not a problem if you DDOSing someones web server but slightly more challenging if you're trying to read their webmail. But actually I can think of ways round that as well... Maybe address spoofing does kind of make this one redundant. -----Original Message----- From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] Sent: 10 May 2004 15:35 To: exon; webappsec () securityfocus com Subject: RE: Tying a session to an IP address ..."I'd say it doesn't do diddly squat to add to security, since it's trivial to spoof ones address." Is that really true? Is it trivial to spoof an arbitrary, specific address? Can you make my traffic log think that you came from 158.4.24.21? Or 127.0.0.1? I agree that within a subnet or behind a hacked router, sure, but at some point a router in the downline is going to say, "WTF! I don't know about the 158.4 subnet, screw that!" Unless I totally misunderstand the issues at hand in spoofing IPs... Mike -----Original Message----- From: exon [mailto:exon () home se] Sent: Monday, May 10, 2004 10:01 AM To: webappsec () securityfocus com Subject: Re: Tying a session to an IP address Paul Johnston wrote:
Hi, I'm interested in the merits of restricting a session to an IP address. I realise this isn't great security as often many users will appear to
come from the same IP address (NAT, proxies, etc.) However, if you consider the case where an attacker uses an XSS vulnerability to steal
the session ID, then the IP address restriction raises the bar considerably for an arbitrary remote attacker to exploit this. I'm worried that the IP address restriction wouldn't work for all users - e.g. if their ISP uses load-balanced web caches. Does anyone know how common such arrangements are in practice? Perhaps something to be done
then is just check the top 16 bits of the IP address. This is likely
to
work for all such network arrangements and still raises the bar a lot for remote attacks.
I'd say it doesn't do diddly squat to add to security, since it's trivial to spoof ones address.
Does anyone here already restrict sessions by IP address? Regards, Paul
Current thread:
- Re: Tying a session to an IP address, (continued)
- Re: Tying a session to an IP address Adam Tuliper (May 10)
- RE: Tying a session to an IP address Steve McCullough (May 11)
- Re: Tying a session to an IP address Adam Tuliper (May 10)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)
- Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Mark Foster (May 10)
- Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Arseneault (May 10)
- RE: Tying a session to an IP address Toni Heinonen (May 10)
- Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Martin (May 11)