[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] IP address change: relogin

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] IP address change: relogin
Date: Thu, 31 Jul 2008 08:13:56 +0100

> Most proxies will include a "X-Forwarded-For" 
> header that contains the IP address of the 
> "real" requester that can be used to help manage  
> sessions.

Real in the sense that an attacker can fake it, as opposed to another
kind of real?  LOL

Ok; simple example.  Your site has an exploitable XSS.  An attacker
drops in a mobile code exploit that sends the precious session cookie to
his evil harvester server.  Guess what is in the header of this request?
Bingo! The X-Forwarded-For header.  The attacker simply rolls a new
request to your server including both the session and the header.  Game
over.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- Re: [WEB SECURITY] IP address change: relogin
  - From: Jason Muskat

Prev by Date: Re: [WEB SECURITY] IP address change: relogin
Next by Date: Re: [WEB SECURITY] IP address change: relogin
Previous by thread: Re: [WEB SECURITY] IP address change: relogin
Next by thread: Re: [WEB SECURITY] IP address change: relogin
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site