Session & IP Spoofing

From: pire pire (pirepire69@romandie.com)
Date: Tue Dec 02 2003 - 17:01:33 EST

• Next message: Micheal Thompson: "RE: Session & IP Spoofing"
• Previous message: Ivan Arce: "Re: Reporting aspect of pen-testing"
• Next in thread: Micheal Thompson: "RE: Session & IP Spoofing"
• Maybe reply: Micheal Thompson: "RE: Session & IP Spoofing"
• Maybe reply: Scovetta, Michael V: "RE: Session & IP Spoofing"
• Reply: Stephen de Vries: "Re: Session & IP Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I've found a vulnerability in a Web App which
gave me via an XSS the sessionID token.

I would like to replay this token. But the
session ID manager (on the server) seems to look
also to IP adresses.

So my question is: Is there a way to spoof my ip
address in order to replay the sessionID??

Like:
http://www.tutu.com/toto.php?sessionid=32443243
and some how spoof of my IP?!

If I replay the sessionid from my machine or an
other machine behind my NAT (same outside IP) it
works!!

Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Micheal Thompson: "RE: Session & IP Spoofing"
• Previous message: Ivan Arce: "Re: Reporting aspect of pen-testing"
• Next in thread: Micheal Thompson: "RE: Session & IP Spoofing"
• Maybe reply: Micheal Thompson: "RE: Session & IP Spoofing"
• Maybe reply: Scovetta, Michael V: "RE: Session & IP Spoofing"
• Reply: Stephen de Vries: "Re: Session & IP Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT