Hosting Provided By

AW: AW: JRun: The Easiness of Session Fixation

From: Javor Evstatiev <Javor.Evstatiev(at)d-con.com>
Date: Sat Mar 01 2003 - 20:00:15 EST

hej

agree on proxies. btw isnt it likely that they will send correct FORWARDED_FOR headers?

do not fully agree on nat. why whould someone change his src? even if someone uses several outgoing src addrs I doubt they will round robin them, imho this would break lots of other apps (telnet? ftp? udp based games?)

if you have a good solution for mitm attacks against plain http Id love to know about it.

cheers,
j. braindead

-----Ursprüngliche Nachricht-----
Von: Alex Russell [mailto:alex@netWindows.org] Gesendet: Freitag, 28. Februar 2003 23:56 An: Javor Evstatiev; Christoph Schnidrig; webappsec@securityfocus.com Betreff: Re: AW: JRun: The Easiness of Session Fixation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 01 March 2003 02:13 pm, Javor Evstatiev wrote:
> Hej,
>
> I save the incoming ip address when the session is created. On each

Do you need help?

What about MITM? NAT?

Most AOL traffic comes from something like 6 IPs. And you're going to rely on that to determine whether or not a session is valid? You'll do much better with a session mechanism that isn't simply brain-dead.

-- Alex Russell alex@netWindows.org alex@SecurePipe.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+X+keoV0dQ6uSmkYRAglXAKCVhfzS2/hikb+V51M8QASef7U7YACg1uhi UuPBKqaXVf0tFcpbhuXn7tU=
=IHFm
-----END PGP SIGNATURE----- Received on Sat Mar 1 20:55:51 2003

This message: [ Message body ]
Next message: Hannes Schmiderer: "Re: AW: JRun: The Easiness of Session Fixation"
In reply to Javor Evstatiev: "AW: JRun: The Easiness of Session Fixation"
Reply: Hannes Schmiderer: "Re: AW: JRun: The Easiness of Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT