[WEB SECURITY] tying sessions to IP addresses

Tom Stripling tstripling at securityps.com
Fri Jun 9 11:46:25 EDT 2006


One thing to consider is that the HttpOnly restriction can be bypassed
if the server has the TRACE method enabled, or at least it used to be
possible:

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

This paper is pretty old, though.  I played with it some recently and
current versions of IE and Firefox appeared to prevent the attack.  Has
anyone verified recently that this attack still works?  It certainly
continues to show up on scans as a vulnerability.


-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com] 
Sent: Friday, June 09, 2006 8:58 AM
To: Web Security
Subject: [WEB SECURITY] tying sessions to IP addresses

Does anyone have some experience with systems that defend against theft
of session cookies by verifying that the IP address that uses a session
is the same one that initiated the session?

These are the problems with the technique that I'm aware of.

- many clients can share a single IP address, e.g. a proxy.  (For
example: http://webmaster.info.aol.com/proxyinfo.html)

- a single client can change an IP address.  (For example:
http://vegan.net/lb/archive/08-2004/0109.html)

- a vulnerability that allows cookie theft can frequently be used for
attacks other than cookie theft, such as forcing the victim's browser to
perform some task directly.  (For example:
http://www.whitehatsec.com/presentations/phishing_superbait.pdf)

Am I leaving off any important limitations to the technique?  Are the
limitations I've listed significant problems?

If you're going to deal with the changing IP address problem, that
implies some management overhead to identify and eliminate false
positives where users are prematurely logged out because they happened
to switch IP addresses.  How much of a problem does this management
overhead cause?

It seems like the HttpOnly Microsoft set-cookie extension provides most
(though not all) of the same benefits as tying sessions to IP addresses,
while being signficantly easier to implement and manage.
Any thoughts on that?

Regards.
Brian

------------------------------------------------------------------------
----
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/




----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list