Home page logo

pen-test logo Penetration Testing mailing list archives

RE: RE: Session & IP Spoofing
From: "pire pire" <pirepire69 () romandie com>
Date: Thu, 4 Dec 2003 10:54:18 +0100

No I don't care about the return traffic! All I 
need is to sen I GET request with a spoofed IP!


GET /toto.php?sessionId=123456&transfer=1000
Host: www.toto.com

I just need to send this request to the server 
with the ip adress belonging to the sessionID 
I've got throuh my XSS!

So how do you do that?

Thanks for your help

You can spoof any IP. The question is do you 
want the return traffic. 

-----Original Message-----
 From: pire pire 
[mailto:pirepire69 () romandie com] 
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test () securityfocus com
Subject: Session & IP Spoofing


I've found a vulnerability in a Web App which 
gave me via an XSS the sessionID token.

I would like to replay this token. But the 
session ID manager (on the server) seems to 
also to IP adresses. 

So my question is: Is there a way to spoof my 
address in order to replay the sessionID??

and some how spoof of my IP?!

If I replay the sessionid from my machine or an 
other machine behind my NAT (same outside IP) 

Thanks a lot for your help


La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]