session hijacking and tying session to IP address with filter
What does everyone think of the idea of noting the IP address in the session so that session hijackers identified if they try to steal a session that has a different IP address from their own? Are there any drawbacks to this method? Nobody can spoof an IP address and still get back the response, can they? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
Adam, What does everyone think of the idea of noting the IP address in the session so that session hijackers identified if they try to steal a session that has a different IP address from their own? Are there any drawbacks to this method? Nobody can spoof an IP address and still get back the response, can they? I know of at least one group that will get screwed: AOL users. (spare the jokes :) No, really. I'm not sure if this is still the case, but I was working for a client that had a separate box running their application without a BigIP in front of it, simply because of their AOL users. It seems that AOL playss games with their gateways and NAT configuration so that the same user can click around the web and appear to have a different source IP for every request. It's total madness and apparently BigIP couldn't make any sense of it, at least with the version they were using. This could be a major drawback. What you might want to do is create a security log and simply log when the IP address changes for a session. You might find that either AOL no longer does this, or you have no AOL customers using your site. On the other hand, you can always do retrospective security audits. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses. The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks) -Tim Adam Hardy wrote: What does everyone think of the idea of noting the IP address in the session so that session hijackers identified if they try to steal a session that has a different IP address from their own? Are there any drawbacks to this method? Nobody can spoof an IP address and still get back the response, can they? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
On 10/28/2003 12:06 PM Tim Funk wrote: I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses. OK I guess if I write a filter to reject requests where the IP address doesn't match the one in the session, then I can always make an exception for AOL browsers - assuming I can identify them from the browser user-agent or the IP address range. As Christopher says I guess I can do security reviews at regular intervals to see if it's a problem. The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks) I can't see using SSL for whole session being acceptable - perhaps generally the public usage will go this way, but at the moment that would just be giving fuel to some web-site reviewer to criticise my site for being over-anal about security. Plus it actually would be anal - I don't need to protect from session hijacking so badly that I encrypt the whole lot. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
On 10/28/2003 12:06 PM Tim Funk wrote: I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses. The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks) BTW, what are css attacks? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
On Tue, Oct 28, 2003 at 13:23:43 +0100, Adam Hardy wrote: On 10/28/2003 12:06 PM Tim Funk wrote: I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses. The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks) BTW, what are css attacks? Cross-site scripting attack. If an attacker can put text into your application which are echoed back verbatim within the HTML source for different users, the attacker can insert javascript code to steal the cookies and other malicious things, which will be executed by the victim when the page is rendered in his/her browser. To avoid such attacks, you should for example make sure you HTML encode data you send (i.e. change and to lt; and gt; etc) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
IIRC, AOL users can use any web browser. -Tim Adam Hardy wrote: OK I guess if I write a filter to reject requests where the IP address doesn't match the one in the session, then I can always make an exception for AOL browsers - assuming I can identify them from the browser user-agent or the IP address range. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
On 10/28/2003 01:30 PM Frode E. Moe wrote: On Tue, Oct 28, 2003 at 13:23:43 +0100, Adam Hardy wrote: BTW, what are css attacks? Cross-site scripting attack. If an attacker can put text into your application which are echoed back verbatim within the HTML source for different users, the attacker can insert javascript code to steal the cookies and other malicious things, which will be executed by the victim when the page is rendered in his/her browser. To avoid such attacks, you should for example make sure you HTML encode data you send (i.e. change and to lt; and gt; etc) Ah, ok. Thought it might be something to do with style sheets. Thanks. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session hijacking and tying session to IP address with filter
Hi Adam, Tying sessions to a particular IP address would be bad for more than just AOL users. It is very common in corporations and organisations to have multiple proxy servers/virus scanners through which client HTTP requests are 'round-robbined' or load-balanced. Each HTTP request will thus appear to come from a different IP address. This is perfectly valid in HTTP since it is a stateless protocol, however time and time again I come across sites which try to impose an aritificial 'session' connection between HTTP requests and their source IP addresses, breaking access for many users. And I actually find it a bit disturbing that in this day and age of somebody would be called anal about security for simply implementing their website via SSL :-) - I would consider this to be a minimum requirement and only the first step for any website remotely interested in security. Regards, Morgan -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 13:23 To: Tomcat Users List Subject: Re: session hijacking and tying session to IP address with filter On 10/28/2003 12:06 PM Tim Funk wrote: I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses. OK I guess if I write a filter to reject requests where the IP address doesn't match the one in the session, then I can always make an exception for AOL browsers - assuming I can identify them from the browser user-agent or the IP address range. As Christopher says I guess I can do security reviews at regular intervals to see if it's a problem. The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks) I can't see using SSL for whole session being acceptable - perhaps generally the public usage will go this way, but at the moment that would just be giving fuel to some web-site reviewer to criticise my site for being over-anal about security. Plus it actually would be anal - I don't need to protect from session hijacking so badly that I encrypt the whole lot. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session hijacking and tying session to IP address with filter
On 10/28/2003 01:49 PM Morgan Pyne wrote: And I actually find it a bit disturbing that in this day and age of somebody would be called anal about security for simply implementing their website via SSL :-) - I would consider this to be a minimum requirement and only the first step for any website remotely interested in security. I wouldn't say just simply implementing their website via SSL - there are costs involved, both tangible in terms of server CPU and intangible in terms of the whole impression the website gives, as I mentioned earlier. A website company, i.e. me, has only a finite amount of resources to spread around the various areas. Security is obviously right up there, but session-hijacking pales into the background compared with other attacks the website or the server might come under. Maybe the comment about being anal was misplaced for others who have someone else to worry about the server security, but I've got to invest time and effort into firewalls, backups, databases, realms etc etc too. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]