[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] IP address change: relogin

From: "Esam Gharish" <egharish@xxxxxxxxx>
Subject: Re: [WEB SECURITY] IP address change: relogin
Date: Thu, 31 Jul 2008 16:26:22 +0100

------=_Part_40118_25233208.1217517982437
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I wouldn't recommend authenticating users by way of relying on the use of IP
addresses or any modifiable element such as MAC Addresses etc

Make it simple...force users to enter passwords PLUS implement verifications
of unique tokens generated with every request (encrypted tokens), whenever
users (authenticated or otherwise) make a HTTP request that may reveal any
sensitive information etc.

Encrypted tokens PLUS user name & password should ensure a high degree of
security

Session IDs alone or use of any element that can be modified are no longer
secure option(s) when verifying users, their access rights, and whether
requests have been made by them...or by someone else.

~E

On Thu, Jul 31, 2008 at 8:13 AM, Martin O'Neal <martin.oneal@corsaire.com>wrote:

>
> > Most proxies will include a "X-Forwarded-For"
> > header that contains the IP address of the
> > "real" requester that can be used to help manage
> > sessions.
>
> Real in the sense that an attacker can fake it, as opposed to another
> kind of real?  LOL
>
> Ok; simple example.  Your site has an exploitable XSS.  An attacker
> drops in a mobile code exploit that sends the precious session cookie to
> his evil harvester server.  Guess what is in the header of this request?
> Bingo! The X-Forwarded-For header.  The attacker simply rolls a new
> request to your server including both the session and the header.  Game
> over.
>
> Martin...
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

------=_Part_40118_25233208.1217517982437
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div dir="ltr">I wouldn&#39;t recommend authenticating users by way of relying on the use of IP addresses or any modifiable element such as MAC Addresses etc <br><br>Make it simple...force users to enter passwords PLUS implement verifications of unique tokens generated with every request (encrypted tokens), whenever users (authenticated or otherwise) make a HTTP request that may reveal any sensitive information etc. <br>
<br>Encrypted tokens PLUS user name &amp; password should ensure a high degree of security<br><br>Session IDs alone or use of any element that can be modified are no longer secure option(s) when verifying users, their access rights, and whether requests have been made by them...or by someone else.<br>
<br>~E<br><br><div class="gmail_quote">On Thu, Jul 31, 2008 at 8:13 AM, Martin O&#39;Neal <span dir="ltr">&lt;<a href="mailto:martin.oneal@corsaire.com";>martin.oneal@corsaire.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
&gt; Most proxies will include a &quot;X-Forwarded-For&quot;<br>
&gt; header that contains the IP address of the<br>
&gt; &quot;real&quot; requester that can be used to help manage<br>
&gt; sessions.<br>
<br>
</div>Real in the sense that an attacker can fake it, as opposed to another<br>
kind of real? &nbsp;LOL<br>
<br>
Ok; simple example. &nbsp;Your site has an exploitable XSS. &nbsp;An attacker<br>
drops in a mobile code exploit that sends the precious session cookie to<br>
his evil harvester server. &nbsp;Guess what is in the header of this request?<br>
Bingo! The X-Forwarded-For header. &nbsp;The attacker simply rolls a new<br>
request to your server including both the session and the header. &nbsp;Game<br>
over.<br>
<font color="#888888"><br>
Martin...<br>
</font><div><div></div><div class="Wj3C7c"><br>
----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net"; target="_blank">irc.freenode.net</a> #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/archive/"; target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br>
<br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA"; target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>
</div></div></blockquote></div><br></div>

------=_Part_40118_25233208.1217517982437--

Follow-Ups:
- RE: [WEB SECURITY] IP address change: relogin
  - From: Martin O'Neal

References:
- Re: [WEB SECURITY] IP address change: relogin
  - From: Jason Muskat

Prev by Date: RE: [WEB SECURITY] IP address change: relogin
Next by Date: RE: [WEB SECURITY] IP address change: relogin
Previous by thread: RE: [WEB SECURITY] IP address change: relogin
Next by thread: RE: [WEB SECURITY] IP address change: relogin
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site