WebApp Sec mailing list archives
RE: Filtering by client IP address for Web App Sessions
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Thu, 24 Feb 2005 23:19:48 -0500
Arian, You've got two problems when you rely on source IP: #1- Even if 90% (or even 99%) of your user population isn't going through these megaproxies, you're going to have users calling you up saying they keep getting disconnected (and the ones you get on the phone won't have a clue what a proxy server is. #2- If you 'trust' the source IP, then you're leaving a layer of security vulnerable to spoofing. So in general, I wouldn't suggest validating based on source IP during each request. If you're just allowing people from a particular set of Ips to access a site, that's different--that should be fine. Just don't rely on the client's IP to stay static. You're better off finding another way to mitigate XSS attacks (if that's what you're after) I don't know of any companies other than AOL that do that, but I would image some anonymous-browsing proxies might set up something like that. Michael Scovetta Computer Associates Senior Application Developer -----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Wednesday, February 23, 2005 10:13 AM To: webappsec () securityfocus com Subject: Filtering by client IP address for Web App Sessions Question for those outside of the US of A: In Europe, Asia, etc. do you have: 1. Any significant user population of your web applications comprised of AOL (America online) users? 2. Are there many ISPs or large organizations using megaproxies that swap client source IPs across entire classes of netblock (e.g. -like AOL does)? I've been telling people for years that you can't filter by source or even last octet netblocks and lately have been wondering if I'm dense and this is a US-centric bias of mine thanks to the ISP behaviors I've had to deal with over the years. Feedback appreciated, Arian
Current thread:
- Filtering by client IP address for Web App Sessions Evans, Arian (Feb 23)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- <Possible follow-ups>
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)