[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] IP address change: relogin

From: "Jason Muskat de VE3TSJ, GCFA, GCUX, CEI, CEH" <Jason@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] IP address change: relogin
Date: Thu, 31 Jul 2008 21:35:25 -0400
--Apple-Mail-2-876640822
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

Hello,

Absolutely. The SSL session ID trick outlined is my last email is a  
lot more secure; however, an attacker could always install a simple  
proxy on the victim's host, force the victim's browser to use that  
proxy (a local man in the middle attack)(Market Score), and the  
attacker can then use that proxy so that the attack appears to come  
from the same IP, Cookie session, the same SSL session, and the same  
TCP session.  The attacker also has the added advantage of having a  
proxy to bounce other attacks off of.

Unless one invalidate sessions when an IP address doesn't match the IP  
address from when the cookie was set you can only make it harder. Even  
then, one should not invalidate the session from the cookie setting IP  
address as an attacker could run an attack that causes all users to  
have invalidated cookies.

If you do implement something like this make sure you have all the Use  
Cases accounted for. Session management is often a weakness that is  
exploitable.

PS: Make sure you have a lot of entropy available for your SSL module/ 
device.

Regards,

-- 
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
________________________________________________
The TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/



On 31-Jul-08, at 3:13 AM, Martin O'Neal wrote:

>
>> Most proxies will include a "X-Forwarded-For"
>> header that contains the IP address of the
>> "real" requester that can be used to help manage
>> sessions.
>
> Real in the sense that an attacker can fake it, as opposed to another
> kind of real?  LOL
>
> Ok; simple example.  Your site has an exploitable XSS.  An attacker
> drops in a mobile code exploit that sends the precious session  
> cookie to
> his evil harvester server.  Guess what is in the header of this  
> request?
> Bingo! The X-Forwarded-For header.  The attacker simply rolls a new
> request to your server including both the session and the header.   
> Game
> over.
>
> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
> Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
> Registered in England No. 3338312. Registered office: Portland House,
> Park Street, Bagshot, Surrey GU19 5PG.
>


--Apple-Mail-2-876640822
Content-Type: text/html;
	charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
">Hello,<div><br></div><div>Absolutely. The SSL session ID trick =
outlined is my last email is a lot more secure; however, an attacker =
could always install a simple proxy on the&nbsp;victim's host, force the =
victim's browser to use that proxy (a local man in the middle =
attack)(Market Score), and the attacker can then use that proxy so that =
the attack appears to come from the same IP, Cookie session, the same =
SSL session, and the same TCP session. &nbsp;The attacker also has the =
added&nbsp;advantage&nbsp;of having a proxy to bounce other attacks off =
of.</div><div><br></div><div>Unless one invalidate sessions when an IP =
address doesn't match the IP address from when the cookie was set you =
can only make it harder. Even then, one should not&nbsp;invalidate the =
session from the cookie setting IP address as an attacker could run an =
attack that&nbsp;causes&nbsp;all users to have&nbsp;invalidated =
cookies.&nbsp;</div><div><br></div><div>If you =
do&nbsp;implement&nbsp;something like this make sure you have all the =
Use Cases accounted for. Session management is often a weakness that =
is&nbsp;exploitable.</div><div><br></div><div>PS: Make sure you have a =
lot of entropy&nbsp;available&nbsp;for your =
SSL&nbsp;module/device.</div><div><div apple-content-edited=3D"true"><span=
 class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: =
Helvetica; "><font class=3D"Apple-style-span" face=3D"Verdana"><br =
class=3D"Apple-interchange-newline">Regards,</font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Verdana; =
min-height: 15px; font-family: Verdana; "><br style=3D"font-family: =
Verdana; "></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font-family: Helvetica; "><font =
class=3D"Apple-style-span" color=3D"#7E7E7E" face=3D"Verdana" =
size=3D"1">--</font><font class=3D"Apple-style-span" color=3D"#7E7E7E" =
face=3D"Verdana" size=3D"1">&nbsp;</font></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
font-family: Helvetica; "><font class=3D"Apple-style-span" =
color=3D"#83C645" face=3D"Verdana"><b style=3D"color: rgb(131, 198, 69); =
font-family: Verdana; font-weight: bold; ">Jason Muskat</b></font><font =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"2">&nbsp;de =
VE3TSJ&nbsp;| GCFA, GCUX, CEI, CEH</font></div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
font-family: Helvetica; "><font class=3D"Apple-style-span" =
face=3D"Verdana" =
size=3D"2">________________________________________________</font></div><d=
iv style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font-family: Helvetica; "><font =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"2"><b =
style=3D"font-family: Verdana; font-size: 10px; font-weight: bold; ">The =
TechDude</b></font></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font-family: Helvetica; =
"><font class=3D"Apple-style-span" face=3D"Verdana" size=3D"2"><b =
style=3D"font-family: Verdana; font-size: 10px; font-weight: bold; =
">e.</b></font><font class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"2">&nbsp;</font><font class=3D"Apple-style-span" color=3D"#7E7E7E"=
 face=3D"Verdana" size=3D"2"><a =
href=3D"mailto:Jason@TechDude.Ca";>Jason@TechDude.Ca</a></font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font-family: Helvetica; "><font =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"2"><b =
style=3D"font-family: Verdana; font-size: 10px; font-weight: bold; =
">m.</b></font><font class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"2">&nbsp;</font><font class=3D"Apple-style-span" color=3D"#7D7D7D"=
 face=3D"Verdana" size=3D"2">416 .414 .9934</font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 10px/normal Verdana; =
min-height: 12px; font-family: Verdana; font-size: 10px; "><br =
style=3D"font-family: Verdana; font-size: 10px; "></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font-family: Helvetica; "><font =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"2"><span =
class=3D"Apple-style-span" style=3D"color: rgb(0, 0, 238); "><a =
href=3D"http://TechDude.Ca/";>http://TechDude.Ca/</a></span></font></div><d=
iv style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font-family: Helvetica; "><font =
class=3D"Apple-style-span" color=3D"#0000EE" face=3D"Verdana" =
size=3D"2"><span class=3D"Apple-style-span" style=3D"font-size: 10px; =
"><br></span></font></div></span><br class=3D"Apple-interchange-newline"> =
</div><br><div><div>On 31-Jul-08, at 3:13 AM, Martin O'Neal =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div><br><blockquote type=3D"cite">Most proxies will =
include a "X-Forwarded-For" <br></blockquote><blockquote =
type=3D"cite">header that contains the IP address of the =
<br></blockquote><blockquote type=3D"cite">"real" requester that can be =
used to help manage &nbsp;<br></blockquote><blockquote =
type=3D"cite">sessions.<br></blockquote><br>Real in the sense that an =
attacker can fake it, as opposed to another<br>kind of real? =
&nbsp;LOL<br><br>Ok; simple example. &nbsp;Your site has an exploitable =
XSS. &nbsp;An attacker<br>drops in a mobile code exploit that sends the =
precious session cookie to<br>his evil harvester server. &nbsp;Guess =
what is in the header of this request?<br>Bingo! The X-Forwarded-For =
header. &nbsp;The attacker simply rolls a new<br>request to your server =
including both the session and the header. =
&nbsp;Game<br>over.<br><br>Martin...<br><br><br>--------------------------=
--------------------------------------------<br>CONFIDENTIALITY: =
&nbsp;This e-mail and any files transmitted with it are<br>confidential =
and intended solely for the use of the recipient(s) only.<br>Any review, =
retransmission, dissemination or other use of, or taking<br>any action =
in reliance upon this information by persons or entities<br>other than =
the intended recipient(s) is prohibited. &nbsp;If you have<br>received =
this e-mail in error please notify the sender immediately<br>and destroy =
the material whether stored on a computer or =
otherwise.<br>------------------------------------------------------------=
----------<br>DISCLAIMER: &nbsp;Any views or opinions presented within =
this e-mail are<br>solely those of the author and do not necessarily =
represent those<br>of Corsaire Limited, unless otherwise specifically =
stated.<br>---------------------------------------------------------------=
-------<br>Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley =
Street,<br>Old Woking, Surrey GU22 9LL. Telephone: +44 =
(0)1483-746700.<br>Registered in England No. 3338312. Registered office: =
Portland House,<br>Park Street, Bagshot, Surrey GU19 =
5PG.<br><br></div></blockquote></div><br></div></body></html>=

--Apple-Mail-2-876640822--
References:
- Re: [WEB SECURITY] IP address change: relogin
  - From: Jason Muskat
Prev by Date: RE: [WEB SECURITY] IP address change: relogin
Previous by thread: RE: [WEB SECURITY] IP address change: relogin
Next by thread: Re: [WEB SECURITY] IP address change: relogin
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site