[nycphp-talk] NEW PHundamentals Question
Dan Cech
dcech at phpwerx.net
Tue Feb 10 07:02:01 EST 2004
Yeah, it was me who (incorrectly) mentioned CSRF, what I meant was that
IP address checking helps to avoid the most common session hijacking
attacks, and also (if session IDs are being passed in urls) sessions
being unwittingly exposed by users.
Chris mentioned that it is inconvenient for users, I understand that IP
address checking would be wildly inconvenient for dialup users, etc on a
long term basis, but can't think of anyone whose IP address would
regularly change during a session.
The porn attacks on captchas is definitely inventive and no doubt very
effective, harnessing the power of 15 year olds everywhere....I love it.
Jon has a good point about not actually requiring a response to do
damage. The mechanism to generate the captchas had better be efficient
or you're opening yourself up for a DOS attack from anyone who can flood
the form with GET requests...
Dan
jon baer wrote:
>>4. IP address. See 3.
>>
>>Also, I saw a comment about IP address checking and how it helps to
>
>
> excellent points ... on a small note a group of us actually 'bombed' a
> database example once on a friend who asked me to review some of his work,
> the tool of choice was nemesis by jeff nathan
> (http://nemesis.sourceforge.net/), he had designed a simple php web tool
> relying on IP addresses, the point I tried to make w/ tools like
> winpcap/nemesis was the fact that you could forge the request all the way
> down to the MAC level so he was looking @ 100,000+ entries seeming to come
> from a single IP w/ different MACs filled w/ junk ... a point being that you
> dont really need a response in order to do damage ... (granted we knew the
> IP) ... was just to show that the IP is not the win all solution either.
>
> - jon
>
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
More information about the talk
mailing list