Question re session hijacking in dual stack environments w/MacOS

Laszlo Hanyecz laszlo at heliacal.net
Tue Sep 29 00:41:23 UTC 2015


On 2015-09-27 12:24, John Schimmel wrote:
> Most Web application firewalls have cross-site request forgery protection.
> When a form is downloaded, the firewall inserts a hidden field or cookie
> that contains the IP address of the request.  When the form is submitted,
> the firewall then verifies that the post is sent from the same address.

This reminds me of ICMP blocking which breaks path MTU discovery and 
thus blocks all users with < 1500 MTU.

The technique described here doesn't sound like it would protect from 
XSS or CSRF; it would just introduce seemingly random failures like the 
OP described.  The idea with trying to tie the apparent network address 
to a session is to make session hijacking harder, not local scripting 
attacks (which could come from the same address anyway), but it's a bad 
idea regardless because there is not normally a reason for a session to 
be 'sticky' in this way and so there's no effort made to keep the same 
address, it just happens by accident sometimes.  Making this work so the 
WAF can be happy is in conflict with actually useful things like load 
balancing, cache proxies, privacy addresses, etc.  It probably works 
some percentage of the time for some users, and those who it doesn't 
work for just get blamed for having a bad 
browser/computer/ISP/whatever.  I hope that as the failure rate 
increases, people using these solutions eventually realize that they're 
blocking themselves off from the net.

-Laszlo





More information about the NANOG mailing list