From: Scovetta, Michael V (Michael.Scovetta@ca.com)
Date: Wed Dec 03 2003 - 11:43:02 EST
You can use traditional IP-spoofing techniques to spoof
the IP. If the server is on a local subnet/intranet, it
becomes easier. The problem with spoofing the IP is that
the server tries sending replies back to that address,
so it's tough to get an interactive session going on
through a spoofed IP.
I also don't think this is a good practice for the site,
since some ISPs (cough cough AOL cough cough) will sometimes
give you multiple IPs on their end, so if you load up a page
with 10 images, the page might see you come from 10 different
IPs. Screwy, but it's out there. You also hit upon a good
point, tying the session ID to IP is useless in a NAT-situation.
Since you'll know the session id and the IP address of the
"true" user, you can probably just craft a packet from their
IP containing the payload and deliver it. You might have to
rely on XSS to get the information back to you.
It may be possible to do whatever you need within the XSS, and
not even care about the session id. For instance, if, within
the XSS, you open up a new window (same session id, same IP) on
the client's side, to the same site, javascript-it-up to
do whatever you want to do, and then transmit that data back to
you, you should be able to accomplish almost anything. I believe
IE lets you open up a hidden IFRAME (0 by 0 size) and do whatever
you want with that. I use this technique for a "poor-man's RPC
call" to a web server, so I assume it'll work in this case.
Hope that helps--
Michael Scovetta
-----Original Message-----
From: pire pire [mailto:pirepire69@romandie.com]
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test@securityfocus.com
Subject: Session & IP Spoofing
Hi,
I've found a vulnerability in a Web App which
gave me via an XSS the sessionID token.
I would like to replay this token. But the
session ID manager (on the server) seems to look
also to IP adresses.
So my question is: Is there a way to spoof my ip
address in order to replay the sessionID??
Like:
http://www.tutu.com/toto.php?sessionid=32443243
and some how spoof of my IP?!
If I replay the sessionid from my machine or an
other machine behind my NAT (same outside IP) it
works!!
Thanks a lot for your help
_______________________________________________
La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT