[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] defense against session hijacking
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] defense against session hijacking
- From: Damian Gerow <damian@sentex.net>
- Date: Mon, 17 Nov 2003 17:44:24 -0500
Thus spake David Maynor (dave@0dayspray.com) [17/11/03 17:30]:
> This would break things like NATed machines and such.
Could you explain how, please?
If machine A gets NATed to firewall B, and webserver C gets the session...
It's going to record the address of firewall B, not machine A. I fail to
see how using the connection source's IP address would break NAT.* And I
don't know what you mean by 'and such'.
Not that I think basing your entire session security on the IP address is a
good idea -- proxies and such. Using it as *part* of your session security
(onions, people, onions) might work, depending on how a networks
round-robin'ed proxies are set up, if the session really *is* needed to be
carried cross-machine (I've done it before), or any other reason I haven't
thought of yet.
FWIW, (and I know how hated they are), SecurityFocus has a mailing list
specifically for web application security -- webappsec@securityfocus.com, I
believe.
- Damian
* = The only thing I could think of is session hijacking, if the source IP
is your only method of session security, by other machines behind the same
NATing gateway. This is possible. Again, onions.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html