RE: Session & IP Spoofing
From: Micheal Thompson (MThompson_at_brinkster.com)
Date: 12/03/03
- Previous message: pire pire: "Session & IP Spoofing"
- Maybe in reply to: pire pire: "Session & IP Spoofing"
- Next in thread: Scovetta, Michael V: "RE: Session & IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Dec 2003 11:19:26 -0500 To: <pen-test@securityfocus.com>
You can spoof any IP. The question is do you want the return traffic.
-----Original Message-----
From: pire pire [mailto:pirepire69@romandie.com]
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test@securityfocus.com
Subject: Session & IP Spoofing
Hi,
I've found a vulnerability in a Web App which
gave me via an XSS the sessionID token.
I would like to replay this token. But the
session ID manager (on the server) seems to look
also to IP adresses.
So my question is: Is there a way to spoof my ip
address in order to replay the sessionID??
Like:
http://www.tutu.com/toto.php?sessionid=32443243
and some how spoof of my IP?!
If I replay the sessionid from my machine or an
other machine behind my NAT (same outside IP) it
works!!
Thanks a lot for your help
_______________________________________________
La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: pire pire: "Session & IP Spoofing"
- Maybe in reply to: pire pire: "Session & IP Spoofing"
- Next in thread: Scovetta, Michael V: "RE: Session & IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
