RE: Session & IP Spoofing

From: Scovetta, Michael V (Michael.Scovetta_at_ca.com)
Date: 12/03/03

  • Next message: Stephen de Vries: "Re: Session & IP Spoofing"
    Date: Wed, 3 Dec 2003 11:43:02 -0500
    To: "pire pire" <pirepire69@romandie.com>, <pen-test@securityfocus.com>
    
    

    You can use traditional IP-spoofing techniques to spoof
    the IP. If the server is on a local subnet/intranet, it
    becomes easier. The problem with spoofing the IP is that
    the server tries sending replies back to that address,
    so it's tough to get an interactive session going on
    through a spoofed IP.

    I also don't think this is a good practice for the site,
    since some ISPs (cough cough AOL cough cough) will sometimes
    give you multiple IPs on their end, so if you load up a page
    with 10 images, the page might see you come from 10 different
    IPs. Screwy, but it's out there. You also hit upon a good
    point, tying the session ID to IP is useless in a NAT-situation.

    Since you'll know the session id and the IP address of the
    "true" user, you can probably just craft a packet from their
    IP containing the payload and deliver it. You might have to
    rely on XSS to get the information back to you.

    It may be possible to do whatever you need within the XSS, and
    not even care about the session id. For instance, if, within
    the XSS, you open up a new window (same session id, same IP) on
    the client's side, to the same site, javascript-it-up to
    do whatever you want to do, and then transmit that data back to
    you, you should be able to accomplish almost anything. I believe
    IE lets you open up a hidden IFRAME (0 by 0 size) and do whatever
    you want with that. I use this technique for a "poor-man's RPC
    call" to a web server, so I assume it'll work in this case.

    Hope that helps--

    Michael Scovetta

    -----Original Message-----
    From: pire pire [mailto:pirepire69@romandie.com]
    Sent: Tuesday, December 02, 2003 5:02 PM
    To: pen-test@securityfocus.com
    Subject: Session & IP Spoofing

    Hi,

    I've found a vulnerability in a Web App which
    gave me via an XSS the sessionID token.

    I would like to replay this token. But the
    session ID manager (on the server) seems to look
    also to IP adresses.

    So my question is: Is there a way to spoof my ip
    address in order to replay the sessionID??

    Like:
    http://www.tutu.com/toto.php?sessionid=32443243
    and some how spoof of my IP?!

    If I replay the sessionid from my machine or an
    other machine behind my NAT (same outside IP) it
    works!!

    Thanks a lot for your help

    _______________________________________________

    La messagerie gratuite des romands : 10 MO !!!
    Profitez-en ! >>> http://www.romandie.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Stephen de Vries: "Re: Session & IP Spoofing"