RE: Session & IP Spoofing

From: Scovetta, Michael V (
Date: 12/03/03

  • Next message: Stephen de Vries: "Re: Session & IP Spoofing"
    Date: Wed, 3 Dec 2003 11:43:02 -0500
    To: "pire pire" <>, <>

    You can use traditional IP-spoofing techniques to spoof
    the IP. If the server is on a local subnet/intranet, it
    becomes easier. The problem with spoofing the IP is that
    the server tries sending replies back to that address,
    so it's tough to get an interactive session going on
    through a spoofed IP.

    I also don't think this is a good practice for the site,
    since some ISPs (cough cough AOL cough cough) will sometimes
    give you multiple IPs on their end, so if you load up a page
    with 10 images, the page might see you come from 10 different
    IPs. Screwy, but it's out there. You also hit upon a good
    point, tying the session ID to IP is useless in a NAT-situation.

    Since you'll know the session id and the IP address of the
    "true" user, you can probably just craft a packet from their
    IP containing the payload and deliver it. You might have to
    rely on XSS to get the information back to you.

    It may be possible to do whatever you need within the XSS, and
    not even care about the session id. For instance, if, within
    the XSS, you open up a new window (same session id, same IP) on
    the client's side, to the same site, javascript-it-up to
    do whatever you want to do, and then transmit that data back to
    you, you should be able to accomplish almost anything. I believe
    IE lets you open up a hidden IFRAME (0 by 0 size) and do whatever
    you want with that. I use this technique for a "poor-man's RPC
    call" to a web server, so I assume it'll work in this case.

    Hope that helps--

    Michael Scovetta

    -----Original Message-----
    From: pire pire []
    Sent: Tuesday, December 02, 2003 5:02 PM
    Subject: Session & IP Spoofing


    I've found a vulnerability in a Web App which
    gave me via an XSS the sessionID token.

    I would like to replay this token. But the
    session ID manager (on the server) seems to look
    also to IP adresses.

    So my question is: Is there a way to spoof my ip
    address in order to replay the sessionID??

    and some how spoof of my IP?!

    If I replay the sessionid from my machine or an
    other machine behind my NAT (same outside IP) it

    Thanks a lot for your help


    La messagerie gratuite des romands : 10 MO !!!
    Profitez-en ! >>>



  • Next message: Stephen de Vries: "Re: Session & IP Spoofing"

    Relevant Pages

    • Re: Emulator Sessions Hung
      ... Communications Server TN3270E server - albeit somewhat indirectly! ... VTAM has no part in the sending of this Unformatted ... CONCT to ACTIV status and, logically, an SSCP-LU session will now exist. ... One hopes that at some time later CICS will become fully initialised and will ...
    • Re: RWW Timing
      ... I understand that you want to monitor when and how ... > to an internal Windows XP or Terminal Server computer. ... SBS creates a connection to the internal client on port 3389 which is ... But it can not tell which one session from the RWW, ...
    • Re: Emulator Sessions Hung
      ... the LOGAPPL operand to be "fired off" by VTAM, ... session is in place, ... System" of the z/OS Communications Server SNA Programming manual ... least one successful case of communication with both the PCs. ...
    • Re: Restricting TS USers
      ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Terminal Services and Microsoft Windows Server 2003 Service Pack ... the remote session does not end immediately. ...
    • Re: ASP sessionstate
      ... :>: so it is a clientside issue. ... ASP doesn't know or care what browser it ... but then it is not a new session. ... :> How can a Response.Write write to the server screen? ...