[Esapi-user] AuthenticationHostException

Rohit Sethi rklists at gmail.com
Sun Feb 27 16:44:01 EST 2011


Hi all, I'm playing around with the File Based Authentication in ESAPI and I
seem to run into a problem and I'm wondering if others have the same issue.
I'm testing with a simple app running on localhost, and for whatever reason
the authenticator seems to sometimes use an ipv6 loopback address (::1) and
at other times it uses an ipv4 loopback address (127.0.0.1). I think there's
a string .equals() check to see if the IP address changes for a user within
a session. For example, if I first log in to the app using my browser, and I
then try to log in afterwards when proxying through Burpsuite I get the
following:

02-27 16:32:44 [INFO] [ExampleApplication:Authenticator] - [SECURITY SUCCESS
Anonymous:null at unknown -> 127.0.0.1:8443/ExampleApplication/Authenticator]
Password verified for test
02-27 16:32:44 [INFO] [ExampleApplication:DefaultUser] - [SECURITY SUCCESS
test:759065 at 0:0:0:0:0:0:0:1 -> 127.0.0.1:8443/ExampleApplication/DefaultUser]
Set last successful login time to Sun Feb 27 16:32:44 EST 2011 for test
02-27 16:32:44 [WARN] [ExampleApplication:IntrusionDetector] - [SECURITY
FAILURE test:759065 at 0:0:0:0:0:0:0:1 ->
127.0.0.1:8443/ExampleApplication/IntrusionDetector] User session just
jumped from 0:0:0:0:0:0:0:1 to 127.0.0.1
org.owasp.esapi.errors.AuthenticationHostException: Host change
    at
org.owasp.esapi.reference.DefaultUser.setLastHostAddress(DefaultUser.java:524)

I'm using ESAPI-2.0-RC7-b-Early-Release.jar on Windows 7 with Firefox 3.6.

I thought about filing a bug but figured I'd ask if this was simply a
problem with configuration, an expected response, or a legitimate bug.

Thanks,
-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110227/8d0cf609/attachment.html 


More information about the Esapi-user mailing list