Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: state management by client IP address for Web App Sessions

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: state management by client IP address for Web App Sessions
Date: Fri, 25 Feb 2005 16:50:46 -0600 
Hey, thanks all for feedback. I clearly worded this wrong
in haste.

My concern is state management. I finishing a whitepaper
on state and session management and it just hit me that
the metrics I'm going on are a biased sample (US, Canadian,
and small European sample from specific Western countries).

I'm not concerned with percentage of same-source. Obviously
that's what rfc-reserved space + NAT results in.

I was curious how common user Abba from src 127.0.0.1 all of
a sudden switches to src 127.0.0.1, or even 128.0.0.1. There
are certain ISPs (AOL being the most guilty) that do this.

In the US, if you build a webapp that services a client population
coming from ISPs that do this, you absolutely cannot track/
validate/session handle based upon src IP.

I am presenting some of the results of this at Black Hat Europe
and some at OWASP 2005 in London, and thought that before I
speak like a provincial fool I should see if this phenomena
holds true in other countries, particularly Asia, Eastern
Europe, and other emerging markets like South America.

Thanks for the feedback, any more related to IP src changes
(not many-to-one NAT) mid-session from different parts of the
world is appreciated.

Arian Evans
Sr. Security Engineer
FishNet Security

KC Office:  816.421.6611
Direct: 816.701.2045
Toll Free:  888.732.9406
Fax:  816.474.0394

http://www.fishnetsecurity.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: state management by client IP address for Web App Sessions, Evans, Arian <=
Previous by Date:  RE: Filtering by client IP address for Web App Sessions, Amichai Shulman
Next by Date:  Using SPNEGO for web SSO, Burak DAYIOGLU
Previous by Thread:  Filtering by client IP address for Web App Sessions, Evans, Arian
Next by Thread:  Using SPNEGO for web SSO, Burak DAYIOGLU
Indexes:  [Date] [Thread] [Top] [All Lists]