Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Session & IP Spoofing
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Wed, 3 Dec 2003 11:43:02 -0500

You can use traditional IP-spoofing techniques to spoof
the IP. If the server is on a local subnet/intranet, it 
becomes easier. The problem with spoofing the IP is that
the server tries sending replies back to that address,
so it's tough to get an interactive session going on
through a spoofed IP. 

I also don't think this is a good practice for the site,
since some ISPs (cough cough AOL cough cough) will sometimes
give you multiple IPs on their end, so if you load up a page
with 10 images, the page might see you come from 10 different
IPs. Screwy, but it's out there. You also hit upon a good
point, tying the session ID to IP is useless in a NAT-situation.

Since you'll know the session id and the IP address of the
"true" user, you can probably just craft a packet from their
IP containing the payload and deliver it. You might have to 
rely on XSS to get the information back to you.

It may be possible to do whatever you need within the XSS, and
not even care about the session id. For instance, if, within
the XSS, you open up a new window (same session id, same IP) on
the client's side, to the same site, javascript-it-up to 
do whatever you want to do, and then transmit that data back to
you, you should be able to accomplish almost anything. I believe
IE lets you open up a hidden IFRAME (0 by 0 size) and do whatever
you want with that. I use this technique for a "poor-man's RPC
call" to a web server, so I assume it'll work in this case.

Hope that helps--

Michael Scovetta



-----Original Message-----
From: pire pire [mailto:pirepire69 () romandie com]
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test () securityfocus com
Subject: Session & IP Spoofing


Hi,

I've found a vulnerability in a Web App which 
gave me via an XSS the sessionID token.

I would like to replay this token. But the 
session ID manager (on the server) seems to look 
also to IP adresses. 

So my question is: Is there a way to spoof my ip 
address in order to replay the sessionID??

Like: 
http://www.tutu.com/toto.php?sessionid=32443243  
and some how spoof of my IP?!

If I replay the sessionid from my machine or an 
other machine behind my NAT (same outside IP) it 
works!! 

Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault