Hosting Provided By

RE: How to protect against cookie stealing?

From: Dawes, Rogan (ZA - Johannesburg) <rdawes(at)deloitte.co.za>
Date: Fri Jul 25 2003 - 02:33:31 EDT

Hi Death, :-)

The reason that one can't simply link the IP address to the session is that there are ISP's, in particular AOL, that use cache arrays in a load balancing configuration. So a request that goes through one proxy could be followed by one that goes through a different one.

Plus the fact that all users behind a single proxy would be seen to have the same IP address.

A lot of people do not permit active content such as ActiveX objects, which would be the only way to get the MAC address from the client. Besides which, if the originating site can access this object through a script, so could the attacker through an XSS, and supply that information to the attacker at the same time as the sessionid.

I think this is the reason that nothing has been done about this problem:

If the attacker can't XSS the user, they can't get the sessionid (unless it is predictable, which is just stupid!), hence there is no problem.
If the attacker CAN XSS the user, then they can also get whatever other information that they need to impersonate the user, except for the IP address, which unfortunately, we can't rely on anyway, so we CAN'T do anything about the problem.

Rogan

> -----Original Message-----
> From: .:[ Death Star]:. [mailto:deathstar@optonline.net]
> Sent: 24 July 2003 07:14 PM
> To: 'Dawes, Rogan (ZA - Johannesburg)'; 'Phil Cox';
> webappsec@securityfocus.com
> Subject: RE: How to protect against cookie stealing?
>
>
> It is possible to associate each session ID with one IP address. In

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Sun Jul 27 11:45:47 2003

Do you need help?

This message: [ Message body ]
Next message: Dawes, Rogan (ZA - Johannesburg): "RE: How to protect against cookie stealing?"
Previous message: Gabriel Lawrence: "RE: How to protect against cookie stealing?"
Maybe in reply to: Phil Cox: "How to protect against cookie stealing?"
In reply to .:[ Death Star]:.: "RE: How to protect against cookie stealing?"
Next in thread: .:[ Death Star]:.: "RE: How to protect against cookie stealing?"
Reply: .:[ Death Star]:.: "RE: How to protect against cookie stealing?"
Reply: Dawes, Rogan (ZA - Johannesburg): "RE: How to protect against cookie stealing?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT