[Esapi-user] AuthenticationHostException

Jim Manico jim.manico at owasp.org
Sun Feb 27 17:28:09 EST 2011


Rohit,

No, this is just problematic code. If you have a fix, care to toss us a
patch?? Also, please consider the latest rc10

Thanks for pointing this out,
Jim

> Hi all, I'm playing around with the File Based Authentication in ESAPI and I
> seem to run into a problem and I'm wondering if others have the same issue.
> I'm testing with a simple app running on localhost, and for whatever reason
> the authenticator seems to sometimes use an ipv6 loopback address (::1) and
> at other times it uses an ipv4 loopback address (127.0.0.1). I think there's
> a string .equals() check to see if the IP address changes for a user within
> a session. For example, if I first log in to the app using my browser, and I
> then try to log in afterwards when proxying through Burpsuite I get the
> following:
> 
> 02-27 16:32:44 [INFO] [ExampleApplication:Authenticator] - [SECURITY SUCCESS
> Anonymous:null at unknown -> 127.0.0.1:8443/ExampleApplication/Authenticator]
> Password verified for test
> 02-27 16:32:44 [INFO] [ExampleApplication:DefaultUser] - [SECURITY SUCCESS
> test:759065 at 0:0:0:0:0:0:0:1 -> 127.0.0.1:8443/ExampleApplication/DefaultUser]
> Set last successful login time to Sun Feb 27 16:32:44 EST 2011 for test
> 02-27 16:32:44 [WARN] [ExampleApplication:IntrusionDetector] - [SECURITY
> FAILURE test:759065 at 0:0:0:0:0:0:0:1 ->
> 127.0.0.1:8443/ExampleApplication/IntrusionDetector] User session just
> jumped from 0:0:0:0:0:0:0:1 to 127.0.0.1
> org.owasp.esapi.errors.AuthenticationHostException: Host change
>     at
> org.owasp.esapi.reference.DefaultUser.setLastHostAddress(DefaultUser.java:524)
> 
> I'm using ESAPI-2.0-RC7-b-Early-Release.jar on Windows 7 with Firefox 3.6.
> 
> I thought about filing a bug but figured I'd ask if this was simply a
> problem with configuration, an expected response, or a legitimate bug.
> 
> Thanks,
> 
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user



More information about the Esapi-user mailing list