NYCPHP Meetup

NYPHP.org

[nycphp-talk] NEW PHundamentals Question

Dan Cech dcech at phpwerx.net
Tue Feb 10 07:02:01 EST 2004


Yeah, it was me who (incorrectly) mentioned CSRF, what I meant was that 
IP address checking helps to avoid the most common session hijacking 
attacks, and also (if session IDs are being passed in urls) sessions 
being unwittingly exposed by users.

Chris mentioned that it is inconvenient for users, I understand that IP 
address checking would be wildly inconvenient for dialup users, etc on a 
long term basis, but can't think of anyone whose IP address would 
regularly change during a session.

The porn attacks on captchas is definitely inventive and no doubt very 
effective, harnessing the power of 15 year olds everywhere....I love it. 
Jon has a good point about not actually requiring a response to do 
damage.  The mechanism to generate the captchas had better be efficient 
or you're opening yourself up for a DOS attack from anyone who can flood 
the form with GET requests...

Dan

jon baer wrote:
>>4. IP address. See 3.
>>
>>Also, I saw a comment about IP address checking and how it helps to
> 
> 
> excellent points ... on a small note a group of us actually 'bombed' a
> database example once on a friend who asked me to review some of his work,
> the tool of choice was nemesis by jeff nathan
> (http://nemesis.sourceforge.net/), he had designed a simple php web tool
> relying on IP addresses, the point I tried to make w/ tools like
> winpcap/nemesis was the fact that you could forge the request all the way
> down to the MAC level so he was looking @ 100,000+ entries seeming to come
> from a single IP w/ different MACs filled w/ junk ... a point being that you
> dont really need a response in order to do damage ... (granted we knew the
> IP) ... was just to show that the IP is not the win all solution either.
> 
> - jon
> 
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk





More information about the talk mailing list