[WEB SECURITY] tying sessions to IP addresses

Jeremiah Grossman jeremiah at whitehatsec.com
Mon Jun 12 11:53:11 EDT 2006


The XHR functionality for sending TRACE requests in recent versions  
of Firefox/Mozilla has been disable. Not certain about IE. In this  
environment, the attack would not work.


On Jun 9, 2006, at 8:46 AM, Tom Stripling wrote:

> One thing to consider is that the HttpOnly restriction can be bypassed
> if the server has the TRACE method enabled, or at least it used to be
> possible:
>
> http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
>
> This paper is pretty old, though.  I played with it some recently and
> current versions of IE and Firefox appeared to prevent the attack.   
> Has
> anyone verified recently that this attack still works?  It certainly
> continues to show up on scans as a vulnerability.
>
>
> -----Original Message-----
> From: Brian Eaton [mailto:eaton.lists at gmail.com]
> Sent: Friday, June 09, 2006 8:58 AM
> To: Web Security
> Subject: [WEB SECURITY] tying sessions to IP addresses
>
> Does anyone have some experience with systems that defend against  
> theft
> of session cookies by verifying that the IP address that uses a  
> session
> is the same one that initiated the session?
>
> These are the problems with the technique that I'm aware of.
>
> - many clients can share a single IP address, e.g. a proxy.  (For
> example: http://webmaster.info.aol.com/proxyinfo.html)
>
> - a single client can change an IP address.  (For example:
> http://vegan.net/lb/archive/08-2004/0109.html)
>
> - a vulnerability that allows cookie theft can frequently be used for
> attacks other than cookie theft, such as forcing the victim's  
> browser to
> perform some task directly.  (For example:
> http://www.whitehatsec.com/presentations/phishing_superbait.pdf)
>
> Am I leaving off any important limitations to the technique?  Are the
> limitations I've listed significant problems?
>
> If you're going to deal with the changing IP address problem, that
> implies some management overhead to identify and eliminate false
> positives where users are prematurely logged out because they happened
> to switch IP addresses.  How much of a problem does this management
> overhead cause?
>
> It seems like the HttpOnly Microsoft set-cookie extension provides  
> most
> (though not all) of the same benefits as tying sessions to IP  
> addresses,
> while being signficantly easier to implement and manage.
> Any thoughts on that?
>
> Regards.
> Brian
>
> ---------------------------------------------------------------------- 
> --
> ----
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>
>
> ---------------------------------------------------------------------- 
> ------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>


----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list